Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 05:03
Static task
static1
Behavioral task
behavioral1
Sample
da0a557701c6e26bb880ae32cf6e7eb68ebe22a1c37aa5894c32a9a79a73582a.exe
Resource
win7-20240221-en
General
-
Target
da0a557701c6e26bb880ae32cf6e7eb68ebe22a1c37aa5894c32a9a79a73582a.exe
-
Size
1.6MB
-
MD5
e78cc8ce69012549b5865647ce866549
-
SHA1
443001a55507c5e23b0b684fd645f4ee964bc8e3
-
SHA256
da0a557701c6e26bb880ae32cf6e7eb68ebe22a1c37aa5894c32a9a79a73582a
-
SHA512
61cbecc589d1f4556a0e973840b0c3251e4c8fd233c891fe5efd7febcec050a3b74f457d06e18a94130e66ac53be8abd0e0fae5ce9f11beaff51f4255684780c
-
SSDEEP
24576:phHe93UdkW/kPOtDn8BVj2SGgEm1QuR/YHuHO5b:phHe93GkW8PqoBViSGgRebuHOZ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation da0a557701c6e26bb880ae32cf6e7eb68ebe22a1c37aa5894c32a9a79a73582a.exe -
Executes dropped EXE 22 IoCs
pid Process 3952 alg.exe 2752 elevation_service.exe 3552 elevation_service.exe 1580 maintenanceservice.exe 3240 OSE.EXE 2196 DiagnosticsHub.StandardCollector.Service.exe 4468 fxssvc.exe 2644 msdtc.exe 3036 PerceptionSimulationService.exe 1896 perfhost.exe 1184 locator.exe 1736 SensorDataService.exe 2820 snmptrap.exe 4656 spectrum.exe 4456 ssh-agent.exe 2664 TieringEngineService.exe 3636 AgentService.exe 4240 vds.exe 3948 vssvc.exe 4332 wbengine.exe 3112 WmiApSrv.exe 3024 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe da0a557701c6e26bb880ae32cf6e7eb68ebe22a1c37aa5894c32a9a79a73582a.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\22e4d4c8ed1090.bin alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005915e608e087da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e2e7d08e087da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e7e6c08e087da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006dce3c08e087da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000357f4d08e087da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046944108e087da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ad82809e087da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7cb7a08e087da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4227509e087da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2752 elevation_service.exe 2752 elevation_service.exe 2752 elevation_service.exe 2752 elevation_service.exe 2752 elevation_service.exe 2752 elevation_service.exe 2752 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1896 da0a557701c6e26bb880ae32cf6e7eb68ebe22a1c37aa5894c32a9a79a73582a.exe Token: SeDebugPrivilege 3952 alg.exe Token: SeDebugPrivilege 3952 alg.exe Token: SeDebugPrivilege 3952 alg.exe Token: SeTakeOwnershipPrivilege 2752 elevation_service.exe Token: SeAuditPrivilege 4468 fxssvc.exe Token: SeRestorePrivilege 2664 TieringEngineService.exe Token: SeManageVolumePrivilege 2664 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3636 AgentService.exe Token: SeBackupPrivilege 3948 vssvc.exe Token: SeRestorePrivilege 3948 vssvc.exe Token: SeAuditPrivilege 3948 vssvc.exe Token: SeBackupPrivilege 4332 wbengine.exe Token: SeRestorePrivilege 4332 wbengine.exe Token: SeSecurityPrivilege 4332 wbengine.exe Token: 33 3024 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3024 SearchIndexer.exe Token: SeDebugPrivilege 2752 elevation_service.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1896 wrote to memory of 4344 1896 da0a557701c6e26bb880ae32cf6e7eb68ebe22a1c37aa5894c32a9a79a73582a.exe 89 PID 1896 wrote to memory of 4344 1896 da0a557701c6e26bb880ae32cf6e7eb68ebe22a1c37aa5894c32a9a79a73582a.exe 89 PID 3024 wrote to memory of 368 3024 SearchIndexer.exe 122 PID 3024 wrote to memory of 368 3024 SearchIndexer.exe 122 PID 3024 wrote to memory of 4036 3024 SearchIndexer.exe 123 PID 3024 wrote to memory of 4036 3024 SearchIndexer.exe 123 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\da0a557701c6e26bb880ae32cf6e7eb68ebe22a1c37aa5894c32a9a79a73582a.exe"C:\Users\Admin\AppData\Local\Temp\da0a557701c6e26bb880ae32cf6e7eb68ebe22a1c37aa5894c32a9a79a73582a.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\da0a557701c6e26bb880ae32cf6e7eb68ebe22a1c37aa5894c32a9a79a73582a.exe"C:\Users\Admin\AppData\Local\Temp\da0a557701c6e26bb880ae32cf6e7eb68ebe22a1c37aa5894c32a9a79a73582a.exe" uninstall2⤵PID:4344
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3952
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3552
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1580
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3240
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2196
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2176
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2644
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3036
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1896
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1184
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1736
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2820
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4656
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3800
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3636
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4240
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3948
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3112
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:368
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
- Modifies data under HKEY_USERS
PID:4036
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD52bc4e83e41ea100e7b705a43c8a20e3d
SHA10e9683c1d33cd53b5395fada5877857e4beeaa76
SHA256f4fcf06423a5fccfae907bff4f7d34def56f8cc0b0023f344984f2354cd2dc44
SHA51211f1a5ed75f1e76de877cc1d0ef474b8709e4d3503d0279c3e69c783a84841165dae66cc07fe50efba438e5c90ae41015037e934a0420297ad9b0a86c49825ae
-
Filesize
1.4MB
MD555e9821d9751082cdb3e2fdba02e67bc
SHA1bac83d2be0829efc397f050f6e773815169ac3d7
SHA25672746fa02e154b02b31ac1f62ecdd2db47a7376ab20022bcc9da4007433ded83
SHA5128ae20fef99dc318051c9fc991ff7bc232550fd4cc290e631ce3a273c13479b0b8a6a5a9747f6ab38918bb16e03c6e1007f39269064e54757a176cac0011988f9
-
Filesize
1.7MB
MD595ad6622e5a39d829d5f9dcebadccc0c
SHA1323f7f157f9bd1b33415e71e817ff3c36970885b
SHA2563b60cc4c491f7c7fc68a42f34c968dd018497e18b7956ca0475cb3e1fab0f143
SHA512fe535d781724553eb8247506cdcd014e4ea51f70f6c9cd207a56e5d13f9033a00077fb83ebdb2f7c133ac24572c386985b2c25eef07df8b6c8ecc2d8c181c88a
-
Filesize
1.5MB
MD5fd6ef37f4058a4bde4524a72523bc74d
SHA18cc38ba1471771609284879fcb55fd16cef5309f
SHA2563c08df8c6c1cc0fb87b3bf371b98db2ffdbf28feb810241fc5e4eb3ea22f220c
SHA51267b6c855ba320cbecb480dc5ef5516843c2f3a73f330a94176aa962c41d20ea0507b056e6ef491329ad6f83d1a6891d7fd38af6f19f951397b53127d13427822
-
Filesize
1.2MB
MD5823792aef60ce5efbd64375faca2eb65
SHA1be42caff0553ab8ead81213b3b9dc2d9d57f464a
SHA2561ddf528b702ae60f5785814c05afc817a6812c5407ca54a4778431d246bc0fde
SHA512b53ec3a63edb49b207cd285b7bba68de5e482091d12c04b694f96dd043ce1a0710c98d2932a410673f838470135e5751c59de02a43a8ee54e1167bee4eb41de8
-
Filesize
1.2MB
MD52058b68c5e68768f9db7c30ce060fa01
SHA1af93995252b7ea8cd0908792ff47bf185c9f56c2
SHA256c4fdea7db0a2f673f088a84deef87f5813caa21023ebc5c5755406c57b93e669
SHA512ecf29abc64168ef59d2c980055fed6fc68862d5e40cf3a02ab6e443ce8c62599afe2b7e209ceaadcc9a32d81b9b1f3bbcef0ee044d37da824f9aa071997efe86
-
Filesize
1.5MB
MD5ee9b5c4fdf3e81480626c84c48156aa1
SHA1c5d184fe3fd4ad29f1c58e94bd99dd071cc76992
SHA25678bdfabe346c90fc788a3669a2d462ab7c6805f98a4668ebbd284483b9a1b497
SHA512a4f9a6ce3ccffef21f7e2f7dcb9d73279b528394a1d7a794ca1b02bbe04901eb98cd12b173203444f285509bfc9cff20cf694aa09e29c8f6138e60a51b53e822
-
Filesize
4.6MB
MD577a5c479b1aee4c5ff50151819da44ba
SHA1bfffccdac64ee24eeda98f7a3b89ccf3629b4b27
SHA25643457f0badbe505c479b1f56aa33f3f596e7d1bc054873a5d17641e4cfa1e9e0
SHA512d0e89a38688d33b7ca626a90aa7e00a8a0045e31cb9d9d9a9d0870a344a7ae83e8a517e444b1a356755102384f7c89f491e43ccddb037b0c560d125218b324ac
-
Filesize
1.5MB
MD50829d40ac3ea71cc7f183acb3d721054
SHA1dd2bf48ba99d1a04a4137a5cca01f5444a751e0b
SHA25686ab167598994bfc309264d12b194555d2492b14db3995e6c595261eabb130c7
SHA5126d05ba7bb16c2990e8c6ff8e160dcb7d123b218ca1bb8838b536bf7fe2aed2717ce6a3b7421aa4ed508453f6019b258db5c014b816eb7fc3c0c4de000f7074ae
-
Filesize
24.0MB
MD5a60aaf4d6ce2b9ed9ced230c1b05e5d9
SHA1c5ee051c3f401220b2b384ef992243c6aa1e77dc
SHA2564dc8eb6f26aea20ffe03796614e3a0382437888d4787d22d33034e6905bb015f
SHA5122aa29ddbe8096f6cef94a4d4d16a431acfc33f96bda7307a162249f740594a32df53e6deaf9a053896d767387b332dfec3dcb3ee5d7160d77116e1cf2dc8aeff
-
Filesize
2.7MB
MD5644d50052e7b6d4a1da4b33d538cf875
SHA1560f12bb6c781c3a53e971bf6cc58f66ef65b43f
SHA256ba0dd577a6f184c7f73bdd5c1c8aa14e02181caafbf66489689c88b345b2a84b
SHA51206543710034ffbec4b60b1f5c76538feb85801145a76d97f9b4d1753117024c76bc7401b9afb3455076c685fb1188ebe7f25d09bdf84a369ab163841b0bae856
-
Filesize
1.1MB
MD5be049b46b8a18ac15f5a15c92fdef91a
SHA1108a9496ca3f0c4e75faba353397b27c03a1d930
SHA256c12dbc0c157cfc4b50ab6546e4f23c07cd9bbeeaed660c31f50d73593e4aefae
SHA5121438eb29f972390b015659164ba5fea88e5435434cb4828ca071ebd217568063effdb0a088ba5c9c1ce5832a1823a0c987dfd4cb5d28960896631a3c6607b9fd
-
Filesize
1.4MB
MD5d32482136c42e05584d0074f35005c1e
SHA126154d1ce71954ccd4035478474c12426c349d09
SHA256a4ed182034cf6a4c592c7ef203c023988a9934a4875dae10d1b32ce4de4e5a91
SHA5123c6e1481491cfeb4a61ebc5b90a6b8e0180639bc103c499f55b36bd7bb5c2da1225471d2d2d728f454f9dbcd9637cb6f53544d4b3b288b94925d3494ffeeface
-
Filesize
1.3MB
MD5c1a58a862bc2431ec0762b1183b88a30
SHA1398b01d355869bf46ce3c2a59cfec6b3804e0da7
SHA256a41ce266790e4b698b2b79e49b3f9866d5a70ff8c17339d8fe3487552c4a8e73
SHA512a095d29be069c67390314202d56b65a381b14189b094f260f6da8f08b580cff23f30126cb7773e9eee0a825213ecb49e81e83b764cd58d7289fc775accef1f28
-
Filesize
4.8MB
MD5c73791f554e46f7a657b764a3146dae0
SHA1a6085e1fdec3b011bb97574db76bda69cd32b05c
SHA256c2c61f1030c663ed3437f33a0aba235d302a6c5973dc8d31f734aa8b96edf53a
SHA512298abbc7e85aff4735a363da4349abe0bf4da37de2dacfd53c86abe03b348fad9a391b17070ab5324148d4da820f0f6df9b1176533443a335c4980315d41c6e9
-
Filesize
4.8MB
MD526b235177775b07b6ce59343f6965799
SHA1f91e0a45d6c5907666df590ff8e87d00458abefe
SHA25681b8bcd3df320a833999aff226e79f0aafa1f020e20d00b4daeb68ab982e3ed3
SHA512345de9a77326fabc44283de8709be05a73a9a073c944301a6f9d3930da7f2f9a62f31eac4994790d6c99363001d9df9878c7503bc0edbed1412f4c00b2eeca09
-
Filesize
2.2MB
MD56a6086758d72888a8cefcee51ee472f5
SHA1cdfb4b38cca359ec85b2b6571a43e25718d804ca
SHA256f5ae179dd30abab0d13b27c45d6e7ed40f506ac2f93af1e31312ac951f26bd59
SHA512f5130d4d24c60c46ce4bea5e86f0b9345659119d232aac976b405694170132960efb246a584ceab4e4c84c75af27f6dec9ba0fbc84c55e8ac380ffc7f91731a5
-
Filesize
2.1MB
MD59ec1574ab5b8a22dc2348e60707b09fb
SHA1ade57c56b99fd380fc631b4de31ef02f78c1512d
SHA2565c1c1911c71b9e53eba82584f0af70048e6742a8c10efaf44e05a5a16f23a74c
SHA512d958bf45a9101816a92e7c306049c46f96e3b6d86a8d0785d5303d8f6cf21b955c5a814f7bbde1ccf3f3c899e2ca3d9e68e753bb604998fedd1d3ef44ad77474
-
Filesize
1.8MB
MD5517089b95c291bf6f33fc83709a4554a
SHA17248b4b5a03786005f264c4ef77c387964817e7f
SHA256beba5cc59ea968364caf597d3475ad967f2b8a716a5c167ded2edb15d409535e
SHA512ccbc4eed331f0acb758c762d163b5aacbf2f68948ccf2c7f99ab211fe5ff793a6adaf965f4560a7ef33359036dcad8f9f1bed79d7fe995d88c4357a37542ccca
-
Filesize
1.5MB
MD5746cd12867e067f0766ebae3c07707bd
SHA1b9e806615b1b7b37fd57eef108ffad969f851688
SHA256c43002b014ea659b41fb25b1de77898482057380eebe8251dd8c38069a384ede
SHA512ef5110e11babc003ac174c19f9d8adcecbd835e267e87043fb8a910eea5eba6a86f68cc93dcc8c610c4cf3ddf8dac451d947581e5deb08f6a8b9a632fa5f6313
-
Filesize
1.2MB
MD5c16b93516881af208e89bdd35e6027b2
SHA1c61331504c78f663e746d3ca5f8f1f17cc86e409
SHA256117fd483f49259e847c1b7f0f0ca3961ba6d8d09ff7662849fbae76d322ded05
SHA512879f57bac96d45102ce222bd3026a5e1bced4521e676073d7fc3aa0eab2256c84ea350507876230fa3aa3a941a45bfe4272c2a663a10b525898b7d3aa7092513
-
Filesize
1.2MB
MD5cc23624c6e2e2e977c41e7919c9a91a9
SHA1a71b55d62f56b10ab2cc3970d7143539c87c07c2
SHA25622da4fa6f48941defcdf4410ba5b2b4dee594b4ec2d6ba4f1f9110b7b0bae785
SHA51271df77ebb9c01d1e5c1afdb32510796e0803210131b3392f9013607ebad16dfd190ca8a8a52e1210a686fc05c530609269fdd344e1a38928831798120cd074e1
-
Filesize
1.2MB
MD5a7a602282189071f8ebc9ca78a127fcd
SHA147e6ed5720748cddcdad000f2119bd695ffba0dc
SHA256992c8248ed1f10f65c2c64e79b160de0a5fb4a82c92ae335924273c0ab5615cf
SHA512b0141b2d08f960a60c2ff3ced2c4654c52d6b128ab53127ce727ecb811b320429ff8ed86f739749b6a3018ed21f6b3696b93070f6f2fac9ffa87a21d961316c7
-
Filesize
1.2MB
MD5d8216a1301f92e173db54e36803eb384
SHA15d8818763a2e24df360186543fda7ce75c22769d
SHA256bcbc0b1a4a87105e44b9ad629d5fc7ef3cb9c6a9a5661f18597e56f1f6bddc33
SHA512defb906c6d7fbd529308c0fe8ab488d863fdf679f3d27be713e05dbcfc9f4ff0c25866f046cf6a8996048dbcfd50c9f98aae0e3e1e3acb4a17dc08a485630d67
-
Filesize
1.2MB
MD53d63827d25a16dfbb1037bba853eb2c4
SHA1fa71972192696a1fdba76de1616f873054447982
SHA256d58e9eb705bac055deeca3f1a631451a9f6898bbe29642895fba24e311add2bc
SHA5124ecc93edb10391c74218ebe9de011681a7f03e7aa00b6d853bb0e9cd96170f3ab46486064271cf470d5388833de6a918884e6a8b0ba93c43e5284a3ef900df91
-
Filesize
1.2MB
MD53b8fbd5a9a840db58b427910558917d4
SHA1b879607f925a580723311dbaa65ac1fd8a07260c
SHA256a6d3cb426a263244d6c330a1f489732d5b4df6de6ddf44ae9f1d0b9890fddabd
SHA5125745a4fc1809198989b652daddf8801245011ceb7e2a043429ef244c12c46af1e8dc540d0812b588c7d2cd765040216fb76c13f30721c4d7b0cdcd7ddbc6dd2f
-
Filesize
1.2MB
MD5827f14108970930b7bbd3f00b5486eba
SHA163e0b219b0d40c424af1a0dbec25b3f0812e8e7c
SHA2560572f21394f5b9923943c80e2d4f0f790cb11e006dc2b7570068429734212365
SHA512e2598a347c1d265e87d4be529d0520a260ed0013a55559637ac41ab00b62f18ddfad754c077c0de2d8d16edb0eeade37b512c4ee5aed06e6909c0ed781f65be5
-
Filesize
1.5MB
MD5c4bac1ee258d57feed3b190c208f34ac
SHA1283aa3bac71879921632e01e8eaeab3965a2feaa
SHA256155c2dd60e3176c6c479b3e46d4d000626b6251f9f5c062571770bcb4d586d80
SHA512390a4afac998a71ce52f5b8af6301ca68c3eb7bc107a61c1d6cb19c45cbfbe25896ea44a0521a4f1f038fbc4068da777ba7d3ee8882fc362ef75b9664efa92c5
-
Filesize
1.2MB
MD59c1dac24eee7b0367131a9d6f7b61332
SHA165ce4932c4fe644aeec166323679d6880e16b549
SHA2567695d7150d95092f075208622924fdda47ad223bdffe7a23ea663cf7cf2fe60d
SHA512e4c8df9631f03f42da321335333e071f7710e46b21f02b808453d73f6902fff3de08b4099581ae1cd1bc96bd603fe565fbc10c375963ea5ddbd18d5b382e07ae
-
Filesize
1.2MB
MD51fc004cae4fe48d402b6e7b483bc73dd
SHA17c5162627688eeb77a1751a0572ab18699d12beb
SHA2568c96080afad9177a856d359878f32286c4dea36128a23f7bc59a2319d3b4ff78
SHA5120b4c1c4e79d53fa18d63c47b18a33792c96fd30438ac86537b71eb788bcf6a8b89a547c0fa8e8abb83a137a511a835ee9081c769d3a9fd95739ce329bc3d5aa9
-
Filesize
1.3MB
MD51e1b2d0589f9e9fb5b1184e2eb519b81
SHA1ab6fb5f41511134221e1a14a282e6bbfc2870b98
SHA256beb50dd17c774d4b8a19476ff32c8754f4fafb078dacdb750d5cf41876c762ce
SHA512c9ae51868f9949f226198a4201d9c6025e16016f0c333a7c00c339478ac24a26156bb6f9096a3cf53a0ea8a666114484feec5d79cdff63e0dde0f2f87585d6e8
-
Filesize
1.2MB
MD5c19edc6cc9cfacff5f2dcb5a9e2627e6
SHA115faaa0e3ae5dfd9ed82d65d22797a853d4a9d7a
SHA256c4cf525becbadf39a91ec626c744d210c91f6a747edf5c0df5bcf9c79382c0c7
SHA51225a6e2567293532cc787bb1b30361d77961a1cfd2bf997ae8845b1ce444798b76f1e3f11731c4ccf1180f59f472a346a2d34f19594c1a64f70da2fd3b4bb7cd7
-
Filesize
1.2MB
MD57c7d03bb03e48eab271b5f6ecdac7c1f
SHA1bbeebfde1961884667262051e9447bd10720abaf
SHA256385c3167f1d35d9f231259e6f310a1dfac138f91fcff1301a66c8781c11bbaee
SHA512535176fc007bb5ceb968e1c538ca97c7246d30325ba69974dea9ea82dd04f92c263d342a344f1d9f6b5825bfb6704e68f77b89be91efa245fdb93b264e346d42
-
Filesize
1.3MB
MD50af2ec7f4086657ef0a2cada3701e9a1
SHA16e06fb19ca97245a3aef1894f55334583e4469de
SHA256471a02bb2984f8cc950c662a93a422c00268d4ae5dede1f8d520ae4b487ee0e2
SHA512ce9a6acc13f7649b3533732588f566acba70d2de665cdf927f4bcd7d38e2c4adca49f557ef284cdbbcd72f96a8d5f2a689109cf6b5c1dcee8166c8477eb9ad5a
-
Filesize
1.5MB
MD5158f7115c7b1ac16b9bf0c8a874241f0
SHA1e10b46cdb6658ef1bfe8d07ba5003e20416f760e
SHA256153a8c77a2027020f2378209e5c18894e04863c9f51ed708d6068adfa1277b2c
SHA512562b7726b6982a2baa59b19a7d66703cf614601cf664c55ed043c39882ad7f86a641b677b5a8ff7f73a09a3b3a0c7cb96799cec43b6501c0bc6006a6f2555ae6
-
Filesize
1.6MB
MD5eaf4a4b142d21e9624d7456ea3908bb0
SHA1fbb3feaed2393877bc874ae2e652da950745be4e
SHA256a347c981576feff5d892df4f1b37d6d033713eab59e365ba3d73cf0a8374e6fb
SHA5121a199042d3c8eceab6842f7f50d9ff4f03b52e0c09958e02cf1c40b1baec67e32ca36b4eec365228ca196e3b706304a5f9536e9ccab4cd478dca5ed540d9fb44
-
Filesize
1.2MB
MD5d56083c9e9f76c57034664c75f07373f
SHA1b3a80363636f780cf8199f49379747208208c588
SHA25655c8aef74f2f32899e08d6ce6ea01352feb0107aff3bc9bdb0516df444d63db5
SHA512853b59c4604f3a19fde8e0623376c2fb7b540eddb725af9b1889924e8afb83b355b1804e90bb180d69b73aea2d1e6596656f245a3995d1b0fb79ae30fe4c89a4
-
Filesize
1.2MB
MD5293c2d00454c01eb9477924ca75957ed
SHA15b5e75b88fbdea3714697235c19489c4730c19fe
SHA25633941f2a0779f83c54803758e87ecff33075d366b2116c3694dbc747862ed0d1
SHA5127d86b9f219917be00586d7dfd14a374b6ab78993d65dee39f97528a2ad55b43da2ad58f5f7ac7d38f8507d7a4ab068a3e4786dd9d2b44c88d5870bc9dbb601e4
-
Filesize
1.2MB
MD590ada1a3b2a6e6694f25e4b1e64fcf02
SHA1f5e2f009df6442a4ce0aa317b9a8020e519b44dd
SHA256b972204132a2f78eaadf8f5d42c882fc339a612fc5f005b2b86b9a46c439bbeb
SHA512f2b680f35c9d9e0d4288a4b5f6e77091cbacfe79bca818ff0baa1823997df82c8139a150cec071ca735fa8eb21e53aeef7d8c0935a17d5ba83fdd44dfbed0b15
-
Filesize
1.2MB
MD54af32642199884a7c7e90f0808f59d3e
SHA12481cb16b9fe57517dafbcd7ada515c6ee0492c3
SHA2562c4427a50176d2bb65d1bc5ba905534a37f5d5dd4ce78997c275643d6d19f881
SHA512c0c8a99a4dc6cc25b6de0e71aaf566be156a95229f13f5e49d3965c381af4926682a2b22ba894f0b50ef5084a9819fe8a1eb923665ca7993703931fa203bd505
-
Filesize
1.2MB
MD53e8f6b8621f79c53f66a27dc70925011
SHA19816325ef90bc6b653ac00d6283c265b05b10976
SHA256d18324b0d915951e98b12bb85a332dd9befd382129d21a0d9ebd80283345c52a
SHA512923b04c956b19db7803e6b57eb09f7fd3769773c211acf452146dc23e3b9803fce50450821f4b19275bc8247ae76062b357ccc10c13de7fa11e9740c20cf4e69
-
Filesize
1.3MB
MD5c9943446f23e3e55ced2d9c2e81e52aa
SHA142cba4e051919eee74a3d6bdfc1ad67498efcd55
SHA256713bd6047c5445e7f6e8a3af983bdf226b7ddc288ce13b7bbfa7ceb9ee545fdb
SHA5125afff76f12c3ddf38faedc5802d8805b990cfe887f3b666da37b676cdf9ea7b293e71901d24e40568b7f87e032a3e5016c29f541a7780eae4bb94470e724eebd
-
Filesize
12KB
MD5edf839846070a8f13d111d3970cceb35
SHA11540b87dd420ce3a3ad6474477f675fb4cc8f1e9
SHA256ac162600fd1336d31c545209a6e043cb4aa9a93502ec7f6f1ae3390f57cf637c
SHA5125bc9313cc96ac688e69b4724249e6ddf94f90246fdb0a0c2cfefa6a27377dd321a887e6025eaed791d083820918b1ac12a8252aace0d96b67465bcae84cfaa3d
-
Filesize
1.2MB
MD57fc228eb36a7d4d4627843c212b788de
SHA1dbd58dd2c9ab5580da4d407356e51f7d6ea2458d
SHA2562691371128f6eab47e2d34fd9f1b80ce1385ebce876ba22356de1a294737bd6b
SHA512bb087bd990749717e9358ccaadd1e90127b1d39d1319d8094941d71b0032375d0cfb0af73238517a35a4e489886f710ccfd86a5d031bf9cb2521011a823c8260
-
Filesize
1.7MB
MD551b9c978019817ad5842a9693efd34b4
SHA15f57abbbbe25981495c6e9295681dba7b1f282d2
SHA256a767a08e6675fba03315ea75c820d6913ea37b89869390ba5ae20f8fdadf7c65
SHA5124d4d1a0fd85079ca76a8560860886dcf204fb3161d8ef2ac0199a008a18f8fa50fdbdf1890f849369126f049a3fcba0c22b85b3446cefea09f856c4bfb3bfa4b
-
Filesize
1.3MB
MD556ba5d259aa35d4d638f9f0c872fcf88
SHA19053e0080430af2c1f6ad941c6d48955e92cf24b
SHA2569f5a78f79169ddada7d1a6face7dca2bd9a3bbbc31de0eb46b8a35be4c1e45f0
SHA51217c314b1212b31af62edc0cdb8a49a59a8f2929210e1b2bb9bf96001beb6a457a5755d0de6a83bda47d5145ae71c87c0fa661a2de8a98e02986d7787f6abad34
-
Filesize
1.2MB
MD5f189b014ff223641a36ffc8537b27982
SHA168845e7e886860d8e50e2a1a34b1e72ca4f55fc3
SHA2565d340ff8dce48922a69bf3f244eb6c17968bbc4561cc25d4f10352b07f60af54
SHA512135d38b0d87975c229a40350f947ca4ad2dfff1832b36931efdc0d4a98b4c67d04254cda40d8a06905884446f28b148056bc40a14c83339ecf11bea742a9c1f2
-
Filesize
1.2MB
MD53e15d38c3a85ccd61750e077c7c8949d
SHA12d1af5b03ddf30c85358939dd1650ee08e3566ff
SHA256a5df40b4831f6bd4d95d2b1a593869d5a97fd2f22ce088deea9616c47e993da5
SHA512a72bd3d5572e90bcb378a454d6fcdee0559565f9c1fb23ae3d94a121fbfa9982db97d97331d89cd507457ffc3cb2df7f0d70c8dfe088134f0128ff9c8270e55e
-
Filesize
1.6MB
MD523968aef104b735bdd523527f3026127
SHA118fa5d910d4240f58c4129ff12eeab2d8dadebbe
SHA2564b4e1241b98ce4f3b58b477902c8946bbd66eb66904982fc2a260f8c61a192d2
SHA512b752541fa8986305cb5b872ba97288b687723e3d973afbdc26fddecf3c9636681e3f9af8073ed121ef811a5c007fe4daaad080619ae0eb8477df1b4a8741e288
-
Filesize
1.3MB
MD55205c7b97f2e5654ddc205b53f7a4613
SHA1b024945348344de1d2517b58f3775286ea2d45fb
SHA25608cb15c96aa0bb597035b1f0b086952bcc91fbdbde0e66d2cfdf36e8a82b55cc
SHA512045c17a07edb27a000d50b531997ea5bdf57495802e3baecf9c3db5cbc3276c9febebd8695b3c2bd32ad6202b7adbd7154b63b11edb29d67f13cd5d87a9a357b
-
Filesize
1.4MB
MD54f63f016948ea15bd0719ab85bd47206
SHA11a98e8755b8bd842beb0b6e19f5a53e642d79e44
SHA25664cb41283038188800dd7bd18bc974543ad8554b3e9fdf76aad8429ad45f035d
SHA5121a76a23e5df41ac5747bbdea1da8e8cb10419f78c9d7af0bee28bdab121b6e417d404d5dd10f3ee9f3f7bdfc917612611231f723d605b342037a0e2808e3338f
-
Filesize
1.8MB
MD54c910ac5a33126d4f5ccf8ea8c6a454e
SHA17f8ff480792be36922d15d1a2140b4305548b0df
SHA2569cdb8df5f8142b904ed1a9c238e8fed46e35701784de91039bd9875e315e1dfb
SHA512526b3f08adc1dfe8b803fa4935eab350956425b17e3b69a69e2a72aacc9d5532fd8b9f9dacd2a05f162133e5bb79ef75f4de65688a44751a12e22e7759a9d9e9
-
Filesize
1.4MB
MD5d312d376f0e0da8872d7fc3c46cbdbd2
SHA1c10b0b5520630ca1b4ed3010cf63d9614ead339d
SHA256dc00b1dfd0a9a02eb40812030067101c10d8caf8d78fc64738b299adae426b66
SHA512e91dab068f8c731257b4310c5f3644bba827ec602192ba527817798f80ad2f2c11e89088190e0402a91304cfe0b204c82852ef828ce4e383352fc392296d25f5
-
Filesize
1.5MB
MD5652f8ec7804482394efe053aa0271717
SHA1ec2d10fe9dccb8e678585e8c8e31b12e1017cd4e
SHA256eedc442492f33ae18aa495040a5eb39a35fe5bc4723aa445c85b8c0fa944c2f7
SHA5129dd1a115913b8990cca9f7489d10ae6eb658a1d15645d9ce6c4506d63491492be1fb9acc937d40ffb68be7a4dba7dd10aebddb0d7e4ca30afbe47d89874570a6
-
Filesize
2.0MB
MD5535b28c47ff1a4b74f2876735345fd89
SHA1e11381f8b94c22549f80533ce3c787d16a2408ec
SHA25620af113ca20093ddeb35e7dc2b7466ccdd386ffe3c38ae3e5b176761f33f28e1
SHA512f3bc30c35b110cc44c06fc8c4bec0ca8cca5f4d1e5d98625241a9936c6ee72fc86bd50845a018044e6fadecbb4c2dc7f7d0fda8d19adda9e5b30c9b92e8cae79
-
Filesize
1.3MB
MD5bed42e799857e4ff9e2578467ee24568
SHA1e62cca00853b2930da795ab92f09072bf7dd060e
SHA256e249f9585572cd2f77f92288daa0185434ba842c69fe1e78fc461e4dec63853c
SHA5126d175530d5975dce17e991b0b591a06d9c7dbed1ea9ac51363af26a9cadad3b092937362cea767ef58afa0180955855fb227b9ecf4b9a9cba8037ce7f93fbc32
-
Filesize
1.3MB
MD559070d47fb3c0314926a5d016bd0f716
SHA16557ef0b6b4addfc0af1ed304328bfead1eb0261
SHA256f74e403cf2487fb61908af879248ecee97cd34d3cdf39f1dd49c79f4d70587da
SHA5129e3aceb26051e4cd080d483c548ba5c53a291959f19692f8712e50a2ee1089d3d3e380332ebf8a60d41566bf28c9331efe316d4253917e8d27311814209226e4
-
Filesize
1.2MB
MD57c3e37ab3443570cab2a6c7b8d7553f5
SHA1185a1d41d9e19f2852e400eec13e6c61c533bd8d
SHA2561b2d9142c322bc0bd049fe595857a023f81dddbd49b4e47bf79f4a03830ea50c
SHA5127ecc402e67d864a2c20df701790b032a4414097edd75e5abac7f5c675b386147a0e19f47efdf4ddd58461b6ff3fcc47999ad3ac8cca7bdc7a33a258080435bec
-
Filesize
1.3MB
MD5f16d67e4d3454c76787906f4b5073a9d
SHA16ebe607c37172026c9f5c221457b52129b41d848
SHA256352202dd4a82bd3462d9cfc4afdda2191c891ba5bd2e005c63515becd313b8e5
SHA512e8cb46f04af3295bbd377f9f6a5785a6f626d071a11b82ec045618e26655cb0a15bf73c14b21b6e2ed3d31ac11db2a8e07244819f29074cf5d25dc61abb5e362
-
Filesize
1.4MB
MD5de2796be5e7acec3278448594e4d77c9
SHA1f8574f8a8694130aec280eba287f537d0d636a37
SHA256dc48b02cfd8f059ea58dfb03878e489794956d2cfb8db6fa523ee5fd76aee00f
SHA51294c940ed2929169696a6252f62fbbf31444a37b9e9477ba2e4b81847c6ff3843c3eb76a759c8ce433b9ca3e5ffe2028ebd58241cf644061d1f8ee0a8c217a30e
-
Filesize
2.1MB
MD59cdfd614217d39be18874169e4c66c16
SHA184f4e479dffd9d989dba5d5c7cdc1e418bd9b94a
SHA2560f9ab8bd75bd82bd415e2d2d507dd6875eea0f50f3a1f910e833b527301e90d6
SHA5129cf7b2ace97049fe05085a84decda5444e878652d7bcdb88b77038302609689b65f01b3b8ac25417a6e4116210c2bfce58fc63f8f2037cb99375ae727e6233b4
-
Filesize
5.6MB
MD57005a40b156952710041bc7d0f7e29c3
SHA11cf1972f7ef3e7b2d5a7b15ae018d4b77a2409b5
SHA2567896ff2d47587cd2ecf24ae33901cc8a0d6d56f9134d8ffa55170adad160dc3c
SHA512747f3990c88405c482aadd07d1279e3eea29446a2ec0fcfbafad0711ccb2732a1aa0c26077971a0435b9b130d08bac3a053df12b791ac33ccef5844a12158d94