Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 04:58
Static task
static1
Behavioral task
behavioral1
Sample
2fb85bbc997fde43bf7bf8757015a1759225f672032851dc45d455fb667518d7.exe
Resource
win7-20240221-en
General
-
Target
2fb85bbc997fde43bf7bf8757015a1759225f672032851dc45d455fb667518d7.exe
-
Size
1.4MB
-
MD5
84d727a5eefe1e620ad856885a6795cd
-
SHA1
e4c57614162bc334ad3ff65268b2afe8c8b7a60a
-
SHA256
2fb85bbc997fde43bf7bf8757015a1759225f672032851dc45d455fb667518d7
-
SHA512
7a425ff396f78ebcf725e8dacbc8b88e0df315f75da935cf69e734aaef3f8b06b8b4956160656462b6ade712761a379501342174d8233b26a9dde075f64fd92f
-
SSDEEP
12288:COiB+tnN+cVShCiuyDXBhEUnJA8wwpDXmbSqHo4Lv/4+Y+qQTf0mfL6J:COiBvcVTiHLEUnJEwprmfHP35f0mfm
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1712 alg.exe 3020 elevation_service.exe 4464 elevation_service.exe 4472 maintenanceservice.exe 4992 OSE.EXE 3420 DiagnosticsHub.StandardCollector.Service.exe 2200 fxssvc.exe 1540 msdtc.exe 4136 PerceptionSimulationService.exe 1604 perfhost.exe 3444 locator.exe 2204 SensorDataService.exe 2852 snmptrap.exe 1980 spectrum.exe 3912 ssh-agent.exe 1292 TieringEngineService.exe 3768 AgentService.exe 2620 vds.exe 1384 vssvc.exe 4432 wbengine.exe 4396 WmiApSrv.exe 4300 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2fb85bbc997fde43bf7bf8757015a1759225f672032851dc45d455fb667518d7.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\c8106fb3990ca9c2.bin alg.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_118578\javaw.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_118578\javaws.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_118578\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c9bc869df87da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005dd45b68df87da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026af3568df87da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009bf8466adf87da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072ced768df87da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015420c69df87da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3020 elevation_service.exe 3020 elevation_service.exe 3020 elevation_service.exe 3020 elevation_service.exe 3020 elevation_service.exe 3020 elevation_service.exe 3020 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3756 2fb85bbc997fde43bf7bf8757015a1759225f672032851dc45d455fb667518d7.exe Token: SeDebugPrivilege 1712 alg.exe Token: SeDebugPrivilege 1712 alg.exe Token: SeDebugPrivilege 1712 alg.exe Token: SeTakeOwnershipPrivilege 3020 elevation_service.exe Token: SeAuditPrivilege 2200 fxssvc.exe Token: SeRestorePrivilege 1292 TieringEngineService.exe Token: SeManageVolumePrivilege 1292 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3768 AgentService.exe Token: SeBackupPrivilege 1384 vssvc.exe Token: SeRestorePrivilege 1384 vssvc.exe Token: SeAuditPrivilege 1384 vssvc.exe Token: SeBackupPrivilege 4432 wbengine.exe Token: SeRestorePrivilege 4432 wbengine.exe Token: SeSecurityPrivilege 4432 wbengine.exe Token: 33 4300 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4300 SearchIndexer.exe Token: SeDebugPrivilege 3020 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4300 wrote to memory of 1188 4300 SearchIndexer.exe 120 PID 4300 wrote to memory of 1188 4300 SearchIndexer.exe 120 PID 4300 wrote to memory of 4440 4300 SearchIndexer.exe 121 PID 4300 wrote to memory of 4440 4300 SearchIndexer.exe 121 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fb85bbc997fde43bf7bf8757015a1759225f672032851dc45d455fb667518d7.exe"C:\Users\Admin\AppData\Local\Temp\2fb85bbc997fde43bf7bf8757015a1759225f672032851dc45d455fb667518d7.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3756
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4464
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4472
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4992
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3420
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2628
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1540
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4136
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1604
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3444
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2204
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2852
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1980
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:756
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3768
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2620
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4396
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1188
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4440
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD548f22bcd7d95a12685255f8e99b56af0
SHA1fe6e7f9f5f6e729a595b3dbfdb919b163e4de63b
SHA2562e36815952dae9cb7f519622aa05f6376f5aa08d86086ce0040da29226171a3a
SHA5129faf535e2b258394be0b98ae865e6e7a0f683a13100ba37ed16a5d9051212af33990a1dd2b0028c7efdce54a18e9093466c8e343c20a8fb8123427407138998c
-
Filesize
1.4MB
MD5fd0b8a58ef308c487b69082e84a96348
SHA1dee7b8ecddc4636347d0a1ed6b445d3d5d0c0855
SHA2568f571d766bb107a212e12fba3f111da0d75413e82cc6a01c0e5818af7de2b8b0
SHA512df340c29e77bc28dbcd7b584feed8cd92308eb3ef77e022e9ae3d6e028590c81a700a112d17928412cd0858e8e3fd2791579da1f48797f91c6bc28ff766d0fbf
-
Filesize
1.8MB
MD5db69016900c5b69d74e9327d963639c2
SHA1d582d69a486d967674754c034f0ba3f74920d109
SHA256d70a633936aeeae1ad0c218c22d0aa05f5202b73bab814c7512ff1c79aaa1697
SHA512c3df7555ff4932f3f280ab4d3e2ad0e321d25992fbc50b3c3c035c4ee03811cdfbdb7e122e281feb6ce127dc7640502687a8bd54368746f02eae78fb93344b20
-
Filesize
1.5MB
MD583e7cfaf0aa3963fdc83270768e94d31
SHA11bc3895ec2cb190309c29a1654de1d907a6d3cc7
SHA2567ec39b18c00a99bff85ff80021de5b5d2ccb7b2a1fa470e119b9c40d49b9247d
SHA512861cf2644e6e00e2cff9eabd0eb39930d8481f40ca761a308e0587a8799e45c12668da163d4ad28980c375eafce4243c54f7358e7e4048f210cab18a4b47b88f
-
Filesize
1.2MB
MD54e79019de1e3639623f76189fb088e89
SHA1360133ed28e857089337e29e0e3f1c43939a6912
SHA2569ee56b00b31f0d2ba4527c2edbc0513104a72807d09b15c7eb3ad0d4ceb1ba13
SHA512bea9f50572c6fe654de8f8d5449259a4f63d9bb4f740e6f8025891ad47b6c5d80ee575a90e215a84c4740f3051e5b6f4e3adeac2ef8797729025e2b698a71a24
-
Filesize
1.2MB
MD50583476c4c991ca0906d8b061f664bdf
SHA18279ce564926db9ef0e6853acffc7fd7d5aea98f
SHA2566489911f018c619b15b0b2e8c0ff9c535f2c3177111106bfd94d37e73aa1271a
SHA512cb8db5fc3a326c86518a899a8f72ba8d426a984c74f57244ab08b54340c6d92a5e5fb6ec8002f8b2c5f402a71f2e06e733f5396991440f13b71449e4927cb65f
-
Filesize
1.5MB
MD50a8837a8fe7ef5f2c449250aa9a632b6
SHA191da4f68b1f15b299b5197ff6963faedda8d3744
SHA2565eed4eccf45400118ceaee2b6d456a7a5f70fa51e0af7ff861684c9bc81ebc28
SHA51218d41af02db4ebf569e6bee9dad3cb3a2c72780eb9170c008c3f3e65d7fdd90ebb4e3dcc5354305dae29e0917a38b7c4973a27a3159d27da549e476337822af0
-
Filesize
4.6MB
MD51fa34491bbb3bdf8981a08529c03efe6
SHA18e5ec7cc7bbf56cfba617c92f52fb82f90777b3b
SHA2560e6a6b3cef1258f68a0784944b55e0a47a58c8c735f0f0e09de8e61b9174b861
SHA5123aa62b8296b066ac65ee5d960af66407be98fa08e490c584f5798c02a008150952677eff429f4762e793c797df57eb11c04c2d5390a2e7e6047b0f99f07bd3dc
-
Filesize
1.6MB
MD53fc4e571a400a04f1635a51a1addc59d
SHA149d40dc99385d9ac5ac65d7cb0546083ca25865d
SHA256ceb9d43afbf819ed14ed36ca43ecab352ff5a6ea96d4eca9e910c241ccbbfe34
SHA512a681248693e3f76d8725cadf6785823380c4d3abc4d0a9aa03aa23a46caef5609e3bf9b232fea61faf075006e8db5e27288176c430d9a805fb00f4063cc28986
-
Filesize
24.0MB
MD5e5d49d54427379a830f4d241426863b6
SHA138d00998fa3ad1fe72e38efb9b69059b330e4d92
SHA256c38e53d900a51df434f94ec41beea8fa732c60bd6d3d5a9766ee1a9de0867f5d
SHA5125ae4a47c633c3b04d28d8e80d77f8e058997ddc8a069b384377e70a6da0189dc2b097cfdbd469d52346df9174fff9da31efeadc4d56f76723f3e556f6e7af5d8
-
Filesize
2.7MB
MD51a5f82343b70c01c0e4bbc450c5523d4
SHA10ada643ef79e2f969d3f4a65bd2c3f92ec0d2ea8
SHA25615d10a87c0fd77569fd5b4d74f87cf8e77f044d2a5cbc590b466a65872773684
SHA512d2e88f6b5a7b85206e36ad0d1247071b22a938674af546aa8beb8d25b29d875f6233950665bec0b4b6e9e160c6180f883bf29bd1d63b343bf221916850c93539
-
Filesize
1.1MB
MD57b15162dd8988eb627d2bdbbd5db8854
SHA19ff6c07de75a9544a1b1f2d1e79470228b9f217f
SHA2561fc035513aacaf2278b2b7962eafa4f2656e8689725e9c615a4bb372e17ebfaf
SHA51264d5260727e6a133f95348d6067ed4e1b94e53a02397cca254924c7a7ea893009b927c7ff60a2908c34e436c04d0408af4d17d2fc0923c6f62ec8ebbc057b11e
-
Filesize
1.5MB
MD506002f1236735837694b0fa11098a0f2
SHA118ff3f2b595b28262756ffc40a1c00fb08959e1a
SHA2563a37abd0d2d66259659400231c3dbe4d3634ced15c110b6308c968fc2efa6384
SHA512d7c58cfc8fef4f3d3063266c3c64094061dbe114bd79ea380d1e656a85d3c1762057efb92542bb0c93df9a24459778884f882889c30e0ebb9294cafc0ad3c758
-
Filesize
1.3MB
MD52422338c81263a8b17e47b295950cb2a
SHA18bfa6d0922f6fa2e824d6eb2cf0c73e48485a4ec
SHA256fb74f6d8cde8c5c236d5442de5f3bebe4490466e2d7f0131ae9235a2ffbd3492
SHA512d627d07dd81c13f940638c5754f8b9ecde8d4a8d251b729e307826da098e787f7400b831fa313f3a62553a1b8aef34c7c063635e17c3a3832a8313d74b97ec4c
-
Filesize
4.8MB
MD5288c93bd6c0ed552c2b5ae43897ac234
SHA1a9ca9a0062b2e7268b805b2b954126723404fe5a
SHA256e7d32a5007ddfd5b05add9ec39dc8e6f9aa16a9d33b59c24ef97f7423d3f7406
SHA512e831e8f0c8f058e69f2c04528b4a660287668f87a22b931f7e3f6d68cee13bfde36e39e07c81347c57e451cb5b6d4c95acb6d68dab4a2cdb5d103ad095954a6f
-
Filesize
4.8MB
MD522c94ba7486fabf4162bbccb3a44cdf0
SHA1f55e99b32e0f638dc7ba72476a69b0865757847f
SHA256886c11bfaa3135359e68fcee6b5fde823f15552ebc49bd12523399259dd0aa4d
SHA512eda9aaced59d74a7620921bd20cbd667f945424b8f764d88b320ccc50e9c70f6123d1a637ea919ccb6fd0ad64af6f094c8152c90d06fd5b3e2cbac81f8b5b634
-
Filesize
2.2MB
MD582430ec82d7ebff08d192cd9ac19b55f
SHA157a30c866216fce69ab6894ddb7742a130e5c2ca
SHA2568a4f81a374e84782126d9e4aa55ec65d15914b0b4f39feb7e9d4f6ce3d8f760a
SHA512497ec2a1097676549056cbe9bcae6e51791d395df83b4681fab8e5229baf291594e05cbc2c0707d59560afb13c53610162946a9a8ac8b54fc03cbf8ee14c3146
-
Filesize
2.1MB
MD5c2ea03fdf48e0c5fbaedab15ba2ee548
SHA12b0318f83af79cc125c6d46750ba8886bf5098b2
SHA25611f94fc843c1e34a26a7ba881a2717e84e3d8c800bfe38b793932a964271b0ca
SHA51271c8250677166f95c6e4e1bebcf8e7483cfa7591323b4e776cadc3afb47270f5c5968b81722f225a747d823a7e2ec7b5766ecea054c5bc6c5b1242750ca7ce77
-
Filesize
1.8MB
MD5a9f97f6ccbf95edcb0ad32cb3c54f456
SHA11c64ee7de8e128ab3a3b4f31abab0f9f4e8b2617
SHA25666e6c81f6727857d1e397e5a8b2aca9b183766f13a1ac38d07c570df1cf574de
SHA512f4436d6c7b07a4e11cb3ca929e3fa24d2b661d4b9b51ba130bc49b1cdc67d9fccec0e9429f4f26f7d6ca75431fa0ba31f6bb658bb22576894fb9ce616d53af3e
-
Filesize
1.5MB
MD5fa5628e42ad51ca97c7e69a8b7556759
SHA168eedf19ee2898a1a1c859ae00f8184fb583aded
SHA256600d116c081b12aad593230eec5db41d312300218272fb1b183bf129628d10c2
SHA512c52b8d7ea85a2b6d1f47dee01bfdf632a5bec56286455cd762f82b24da353dad9cf565db1cf763d485fc24ffe711a9e81d51a8de1f36b94dd038414925a59534
-
Filesize
1.2MB
MD5aba2014c6172342bf086f044c1ea6f17
SHA1b80cca09c6a51f78ff7adb4b0795505e0971f1c0
SHA2569bf354d3d873281e6f261803bb52dff04498277af3033e50123a7a601c67b904
SHA5123fa0e558925430212790cf44803c0a6a9af5bffa3d0172ffc4442fa6ce70c755cb99fbf1bcca89554b831be1d4231ec7cca3977952089eeb65b5cd068ce192cf
-
Filesize
1.2MB
MD5526ad34002ce71579121831b8ecf37a3
SHA1c059c066d7f8348d9280ab054c47052fa108e22e
SHA25685015b02356d4b5af08a86e457e741fe616feb99961040c4c9131d17ebc63da9
SHA512d688c0670a9ebf73c9ef3e983209b7e697f9cc728c0cadfc82b91de7e61e8c8395c060a9c7e12c245ae0804c9aea85918e7c580102c629eb3dd2b2d33f50f422
-
Filesize
1.2MB
MD5fcc06798e0f8088657524488d6f62574
SHA14a7261ba33526b3f37a1ccf2eed24469398da349
SHA256f810ddc85048ebf1c346fb70a9a9b4b33ed623fb0bceae90a3b1983f6c617ea7
SHA5124c5707ff772c9bb9e6e6bb88198869d0b84423da036f6aa1ebd703f6b87404cefe0fe7a4ff9288055b94bbfffb6c9632c5fe9cef5e6d781da399ed1b9fc560cc
-
Filesize
1.3MB
MD52226d60a140a44a2215c1fb2a6a993f1
SHA16494424cbd76e70b74ea71e0511bf602ed9b3991
SHA256be2fcf33d563bf574af55c29cce57ea22aa6188270e03d15c131108a8305428d
SHA5128165463e9c6f5274c224f4f22b18f59360aa1b1fd69229f9e7ef2693b9a3e666348ba52116fe972c22fcfabe1b8b2d1087874e3d73f54dc96d2dcad0b918487c
-
Filesize
1.2MB
MD501d2e1c3b022d854a0a84916d6c8fc57
SHA1db1c5e19dd817f3768a0ec77c18b2bb5c9905fbe
SHA25660c02b2d4015669ed2cbff7f69abc8d3d4da72a153057b4683816e877c7053ed
SHA5128e3856108a9071507d9c7480e645c3e424cbd370ad816026fe43a23dcf85e3d05906cc8107d001050b92fadb298fda1114480b6fed361ce147d8a1a945978bb4
-
Filesize
1.2MB
MD5a157ba29b3cad55541a0531c90e581e2
SHA1d48ca671045804bb1b39e4bc4dc8fb996aa6d393
SHA2562a32843064ed4a225e77a612de646a9661cf71a3309263e390df6a8152960707
SHA51255dc82d4752541e80ea10675825e26988987b1cd10cd118c69ee95697db5ecb1fa54e5a5ebf8b92bd0a532cce528d415b2eea162f06457dd6c7b4af83af8e89a
-
Filesize
1.2MB
MD52e35e65eb81676ee0b7bf079c418c374
SHA1c864bbc055cfcaf3e4f4b4604089cc31a71c643f
SHA25677e8894843de47965f6183d87745d793ccabcfece77d4f316f3c893f56e50bb2
SHA512782d0c9a0240e8a97b715601dcf267e191b2160981f60cdc95a181e39af4b812314d1bee3df4fcaf657db0aa90f112a9a3975f91028041d5874a3cc88101fbd2
-
Filesize
1.5MB
MD54ed3c2796984db8a06e13f5b96c77c70
SHA1ff9a289a95b440f97c3b4f19d0d7573844eccb3e
SHA256b7a305676850bdfedd7f700305527e0d234193e7cd9c111302f98bed1721e10d
SHA5126429bf252729af9df2891dce0a3c4d56c9351ff84c086f4e8fb5af44fa6fbc4d1faf5569c7f03dfcdf078caaec9d86b9bcd50be34d9a47180ed89c965188245a
-
Filesize
1.2MB
MD5a7443320b18bad05efd525b84e914218
SHA17269cc9db70c34174ca906eb6ba13f80a88695a5
SHA2563d69b207811ab57542896245a8ae622c2189925f8feee73de027e5dca1da35bb
SHA5127d7d1324c995c126b6d946532d60ddca84cfdca29d852b2476c728852ddd126f48af5ef7b40fa21c70368f1c81558b9fa258585080dcb525bbd64d4c63c96729
-
Filesize
1.2MB
MD53b4953a4affd0c3570927b0a8adee859
SHA1a805b91b82482d832dec698a8a9c5be533534585
SHA256f8f0ebba7bccaed6a350622892e8f7153c7f8a090e7c4393fe5fbdace20bbfbf
SHA5121ad88791ac9e34d8914b8b58fd7d08baf414705a72d5c570769045dec8fb75c6cd37124d0e7f5e98d166cc32dfefdc870ae0e59edfc68e29f94a829a49747f5b
-
Filesize
1.4MB
MD51c1d972ed11e479fa4da8a10f66ab99c
SHA15025147e0d560cb51314410a54f2f139bb7d5429
SHA2565658818e50cee4db8968bc0ca66fe4131c2edf6724cc707a842197eb654f4820
SHA512b5493865de65d9d787871c5e8980ef51d600868f63764ebcb5855c5b4967146eff788bc1e315afa7e9355756d9025b21b6866cf633938f4ba2bb8547113368e1
-
Filesize
1.2MB
MD564379ac102d2deed2c63e95e24718adc
SHA17857e50dbd4a5ccd24233aa8537b4fda8635e4e6
SHA2567d24c0645d9764cf1eb6e228158453ce8cb7cf4bf4aef97b34510f822659cfe5
SHA512b200b8c747f67be524155262663bab1524c771d2dea088d89807bff564711f5baf4fc32cb03395a242fe3a500f95e1457f2ac12b716d2e13a4bd7da46feb508d
-
Filesize
1.2MB
MD5730bc59cd71f3d960514904bada5f4b0
SHA13a58c1a6367d96592e1d046739fe03713969457c
SHA256af332d8a8d71809157c17eded133cdff478c0ced2d64c392d2bc4bc0de067e40
SHA512ca26e638666febff24b9c8d99ad4b9b2f9f96f3b8ddc047bf46b0c016e146832892a1903bca8334b409650c7c2244832ca11a6f3327dbe51b578650bedfcfa99
-
Filesize
1.4MB
MD546e0f59825727900f7d612a596f4b067
SHA1cc976b18335f57fa43b6ea9b0847cbf4a0074bc4
SHA25695288d30b34815a5b24aaf173cd99d10c95f6d9a29d5aa5a4ebacdd8f69af896
SHA512767ed7533c88c281f750b2859f281cd33b8a4c0b12d037f7531072cfc29b16a1fa3e411bdee4e42faf36b29a8f8d197a89de774ba822b04fed83f469486bf23c
-
Filesize
1.5MB
MD549f9da9d6cccf13efa879b93f9843ba8
SHA1e62cd9aded8c10e1fc723f7cd8e2dbe0d36b85d3
SHA2567932e89f4c61080c83e42f33e01d06221c105ee2bbfbe19dbe21b844a85646c1
SHA5120688ab9702320bb050d0cd90aad05ae92c19339bcd78d64440e0ef94bb90679e599e9972f18e930e68c1106555fd67a0e589a7fd33e5b968c6e691e70045f49a
-
Filesize
1.7MB
MD504bd44b11a9456e82192da32b1613634
SHA12cda151b345d1db8724f38e665d9f2437c957d19
SHA256dfeb4c89e8d6637e93767dff962cf8da4c0bf00d2907544654ea7d924265ae71
SHA51278100ed8051a13d67f073eacc0818cd260f75431aeebd1a42cf97a74bd9765b970e5dd156910b57a3f436c915f2ea69815a6033ea3686763067e4b291cfdfea3
-
Filesize
1.2MB
MD5cc48f418837c87d181d332b83c15cc49
SHA1e1ebe2d25d826297f42456aa6e841343be685c74
SHA25642ca5c97af577024d26b2aa2195d349cc32f1d420879a47decfcd28edb289f30
SHA512e1555e6266790d5901c1d9f40e86ff31d209da2be4d86a3f1cf756e91f213c323258501fbb3c34f40f18addab5e3ecc16bb558f72b3ecb6acab62b6b1ba7135a
-
Filesize
1.2MB
MD54b63c9ef1619bc9740b4594081b813e7
SHA1df294612a94005f8f1cd026ae61ce6dc0abf0d3b
SHA25647d48d0453b5c12ad1175258c6997dbf0418c9eff1e4aafef3ee8f45ee725aba
SHA512c9cc07704202ff8f52c5a431309dff2aa032fabc69f704876e7b074213dc8ade6e7336b0d17fe425130beef766ff212a0860a0a09e1239ff4a24723ee2d6bbe5
-
Filesize
1.2MB
MD57414f1827c9c3ab98576093763cfc391
SHA18c5a068938f81328a7e2694ce5472c8ad62a311b
SHA2568924df9a43209e2bb3d27b809ead5896262a46d7fa17cfc724c405cbc2d83555
SHA512167c8a24f77468aae3d99d94a535fb59d0aff0067c7c49142f451fdb8be87bea92cc6f6b27d9230979d6de015fba4b612a2d0bc701cb40901609599a1e477a70
-
Filesize
1.2MB
MD55386df448366fe7fc50e1197d6584b51
SHA16fc90cb22cf1ff0e440300f3e6268b694f866cad
SHA2566bf029a6073f08af039b198b00e9397a204b0b22ec3302374f64dfeac4882525
SHA512ae434e5ea5ad3d1d8ee10abfa96ba5f9ef2127b083f4fdb5dc92d485059dd5157bd2e999bb409f74efc2f6bde8620cd6b7ef663aa19973b44973ac2923125e93
-
Filesize
1.2MB
MD53a4978210404d3bb6e9ffbcb8f1594d6
SHA1f9139815231c08fde92cb03e2699f6cb524cbb08
SHA2565de87d313fae08871a5fbfcc66c9a84034815df416a282a408ddf89399f40c88
SHA512f687f1f12c265d784b36695782373ddb0a4e4dff19a777b43682c22d0a61552346a76710c35357d833ddac81c5f501c8d0cfa7c4e7ca0aeede9992c794c27efc
-
Filesize
1.2MB
MD51033c588624a667eda1ce38427b6314b
SHA1243320ce0757a78736453e12634ca04ff2ee2a0e
SHA25622acbe79ba0c245ef2b355188624ef1ceb63b11d460d248deffd2fd9ee738467
SHA51298e9d5ad0d67b30fe561e1ce93aade476a718313e4007e7cf2e8c2a17215cbcd5250fee22efc50c983440118a86ac79fb76874f05abba4980cc441a087c964f3
-
Filesize
1.4MB
MD567a301e591c4f2002007a785629693c8
SHA16ca96df87a93d1e12b41a1049ad2488ddc35e913
SHA256f0f8c38522b4aaf08231dc18d9d62f0b6480947269db7a9c63525b56f3f766d2
SHA5124da745ce7870d0763539b12d2b0b3216130bdb59fb1911a534ed6d30a61cf049c6d4a6cb65892f4e8d22911b59840b62f23a7018882a016067adbfa4743a9eef
-
Filesize
1.2MB
MD52e095c8fa52f49ce0669f9d70b68f442
SHA126e5dff150e86a45be89e051c6cd0a58d71f878f
SHA256a4b277edbd6e214602b823e5edf8d51fbf627986e68a3ae5e65b5e612e7a5234
SHA512a0a67947fe4c7620174b3e828e7699425fd1ce36293bb771c8eecca37de63cefcd8b7f019fcb33cb08ba781d42db5191bad93d34228b4195a83c445fc73e69e3
-
Filesize
1.7MB
MD55c68eeebbd4c239bcfc45cf5b7d56135
SHA1f90056a1e78bfbdce905548ef02924fe06e3b948
SHA256eaee248cc15b0d423c24f71ddb6e3b6aadfa611193dec78b7d928a4cfdcd2754
SHA512761e680dd1b551006bea34f5b6c2c490ff111b2df1373ef01944130fd33d73ed03aae9fa5bb876a378237b65c8b3e425d31d0f0d1864ea4edc59e7d64d7853fd
-
Filesize
1.3MB
MD5fcc8ccb9921ae69f55863b18d4a55a03
SHA1964bcc84b4fc2229467f594ea3a705e1adfce51c
SHA256f40bbc288873afb037c8a5c4bfb91e4f9f72f1bf7238b4501faeeddad288f76a
SHA5128e70b613eaba91d9b6e1978f6ca407f0ba80e1c1284050815d66b91275f128fb339268196e5e663aa6f312ee267fed0efb50bf44903bc619eb470ddcdb4d9902
-
Filesize
1.2MB
MD5dd49dcc9b3a3fdb980c904c5cbb6e5c6
SHA1f900e0162e58835d54f00a69122d7ded7617b017
SHA256040b152a29a3feb6ba8a5860cc1305788cb9ac9371d3b3df1de63b736ba232f6
SHA512a6fe4d47b01ae6bbcf06fe2a5c4ac6347dd964a15b0ac23533fd9bf2970b4e722072f517f5c5d4167908a3bf036d13ed91fef31358f601e91c3a8c7f9e2942b3
-
Filesize
1.2MB
MD5e4f8b880752c490679475faeb0668f5f
SHA10e69daeebe0751e7f5a2565d307dcd178edd9fcd
SHA2563a970807544e188b7ef1e030554dca5756145b2232ab6f8310251114f859e9af
SHA512b972e9d6944912271f60de10987539bcb38bef555193c9657608ecac9ce4d0ce152a2aa988ad26075736103ef1cba2b63a4da70266030e2108dd03842ae98766
-
Filesize
1.6MB
MD51a9aaef8fd92855e8596aa39c2b1532d
SHA125cba5dba0ba1d2ffa1edb717c41a336072bb623
SHA25688f203272eda8be285556b46ec38a04f11316d928e4bff3452efa8f4992c4653
SHA512891432e09d51174e6a6330176e37399abe19214a7ad8fff1f912120561c7cccbed355aca31d922e292abe2cc9ec623d8bb5201c2395fc2d50fe282379dd85f1a
-
Filesize
1.3MB
MD5f68364937f8e429d591e1d3911e2779a
SHA186da1d57fb72e13c0cf88dde68fbbea9bfc474bf
SHA2564f27a68951244a6c8638c9c4854102195eb954cdee6a2cb8867c00e6f5bdce24
SHA51209537e6f57ad90ae0ad182633cdd30eb8b4212d1d15037a17231dce06ca13056e5cf9ea9b576a11877e6b7834433a88be6c8666684f2092376767e9b95168454
-
Filesize
1.4MB
MD5853284a7b0d7d648eb291cc71cacf9ba
SHA1951ac53a0e2179b3e3a6ed5447d9cbea7eb14eb3
SHA2567eb44c9e0cbe63011da2d8a16e8fb38bf7b387a1f955618050c414f87a0af020
SHA51215059b18e2e537f59695da5dc07ac97985e74ddbd6ea7925a9323ed7dd99c19d17e9bc6517be2281e5c1b7c188452b674fc4f0a11830f3c7f87ffac41f1ed028
-
Filesize
1.8MB
MD58c5d63869f6549605a5158ad9fb1a7d8
SHA1e7bc6b540260c275688ab12cca6c455ab75b5bdc
SHA25652ee9e9ddceff6b3fe56fc576a247b06c29c02415c2c78e1f8dc69f29cd4740f
SHA512c882fafdcca7e56b9a9b6a9d34c98ed0fb1c95f7fbcb7a64b20cd10eab9770895288504191b71e96cc1768d7bbc7f5a54cf150765fbf69ec678f768958a7958b
-
Filesize
1.4MB
MD57a370fe9ac49d1e114c2f274cd037b42
SHA1f4a016cc2ef07f5e157d0faa58e72975ae823b22
SHA256897eb94b4387605979170f9a57c27a455172cade98a53930cd04d1c146f1d514
SHA5128daeac7cac952b9f190185d5c29bddd3cab6d1e5f6fc2c6924b1d500ba3d5a9c05d24f364e40186e5dbb47df1405cc29fbbf16fa2d73022c029c49316c121331
-
Filesize
1.5MB
MD504085e252244a3179679934834b077d8
SHA1c6e4f39011f5067d225de77f6cabbed2e9917360
SHA2562e5a412259724e1ee88fa087ae45e55e8c0c0ebf905b94f146bf1e1d4d84632b
SHA512c95d83c80c98ffbf4c38b6867cad1995e5af836c4e94ff9a1b1ca7012c84e49808fa2586ebc6952566fdbb3dc9704dc043fb566444c2ae3b7318a1e67f0efc38
-
Filesize
2.0MB
MD5236b0c4132bf448f48a86425159c2b39
SHA199d88f18ca3f9a4ae43fd1381231b270ca1ab710
SHA256400fbf14a2057a54b73eff4e2e04bc76b989e7eaa8886108ea09d1f117612b11
SHA512a3d9ba3c75df712f4ca07df545eb73bead326e71baf091d36f1d857e189e2279682814b985b969da590ec5315c6d27846c4b571cf9313cd09990a280be3af56e
-
Filesize
1.3MB
MD5ebd9ecc2ad139e5ac23f4c799122277f
SHA139e7af51facc8926ef852a543523fbf3fd607ca2
SHA256ca4a0e789304ef9ce205bf6981dc59ee4ff23407ba98b0c41a5e25fab8b34929
SHA5125e212cc4d257717ef23d50154b67365c301e672af6f658b02c5a6f26dec23c18f51c85b5ed9de3a4a4fa83810fdcbce09a8301512ce6763ef1f9709b1829daeb
-
Filesize
1.4MB
MD55ed30ee8ed086284ff7c94daabe4dd81
SHA16105909d1b34f21c16f831d81f9a4601c69bbf2e
SHA256f11893bc968c5be310a69e448c1cca04f51b7a7e8598d3d3a3a01e465230a5c7
SHA512d15b144c7387bc6fb46915d356ef140437aa1d6e09a5801f7d2e1369ba8712679164ad46a1e3238928b0c2c194bca20ef688a7e5c87eb4f8d802ed6ba2542f22
-
Filesize
1.2MB
MD567687857e1c45f386a7a723b58e8d5a1
SHA130069b286aaa01c899bf1704c8c2d67c0d152946
SHA256fb9d3e95feb10b0942127248ce9410c383c4a8e87c02247acd7670c70ee0531b
SHA512e751c2585ad636b1bd253b591a754180b208176ec6e13b23f93c68df845e0ef162f3f160b307855170bd02e84e84b9f377e65df0e894b438e0ff07e65c58e98a
-
Filesize
1.3MB
MD5da3982660a9fd238a249692949658504
SHA1c71b45cec8dd7618ed3ae50ae25476f6debba03a
SHA256eccf12e6ac7c246c55dc9606d519727262e2e1300d748a73f2871e05c1920ed9
SHA5128a903b7a4f43e1ac8c79874355adf3a51d24028c5f5f193f8745131dc84ff1df541b504ee06c2392adb25e93c565de6bbea50219112f59c9e1c26a65e0e11e50
-
Filesize
1.4MB
MD5e4fa66aa7a471db540ccf860b1490b5e
SHA1e536ea992d4131c3c167ec9a3aaaca0135fb2b50
SHA2563c1989066f1ab89c1bae5ce2b8b46c7c45852159901194b713ebb3fe49a6ebff
SHA512b9644da77e0ba53dff714972d3c3fcfb37810fae470c98f27176b1332698ad2d787bf2ef925658cbcf357f62bada88fb6cb83182cc695a9c4f8a1906667291fb
-
Filesize
2.1MB
MD5e13f0f48e9483819cb6a0065764fc879
SHA1b036e048f5fe97b8758365a50667189e59c7c694
SHA25688a19644c5b3312a1533b2aed9b56b5714aa7c0de63daaeb36d7865411e7583b
SHA5124f194ad3b96b8b3878fd0a95a32358f25f66bd2dbfd01d961d121bc63e0b936cc056a7f95ae1c072f6a3b12f715e2930604ca21a68efac4ba75de5f32b48db70
-
Filesize
5.6MB
MD5f87877e535c2069a50c2ecaea0b801dc
SHA151c91d01fe51f84cc7724b9ecd9bb39fcb0d5499
SHA25642d63bf5ce01274dc4afd83499e6714b0d1cb6c3033270615685f4203fc6d02a
SHA512885e509d928b55fd749cb2fffe378fbc32c717049ccf2b39156e131244ad8635a1e079c536e44d1012368f3034f9ba6f5d07b5ab849038322b9656c813c2fe51