Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 23:14
Static task
static1
Behavioral task
behavioral1
Sample
8d73d73cc1b61578e1ee54eb0f4db85aa78ae80b3eb4118ff37e4221f6a1b297.exe
Resource
win7-20240221-en
General
-
Target
8d73d73cc1b61578e1ee54eb0f4db85aa78ae80b3eb4118ff37e4221f6a1b297.exe
-
Size
985KB
-
MD5
dffe48911d16f9300432b97146fc3e4f
-
SHA1
1d4bc8b9a68749bd0033f448741af1ab0e4cc9c6
-
SHA256
8d73d73cc1b61578e1ee54eb0f4db85aa78ae80b3eb4118ff37e4221f6a1b297
-
SHA512
471dad7bff88d184613469013abbb26504e6ac9a8f7fa77b4e5e09bb9289675ccf1bb61d6bd898d1c603171d84e4fd70c0861ece9fad415e1b8c8effcfb1e38e
-
SSDEEP
24576:JbL88HFLHgZpJEd1N3RUDHNmdPCAaq8Nozgi/rE0TOj:JLtHFLHkJE58HNUPCAaq8Wdo0
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 736 alg.exe 1560 elevation_service.exe 3556 elevation_service.exe 212 maintenanceservice.exe 3988 OSE.EXE 2952 DiagnosticsHub.StandardCollector.Service.exe 1436 fxssvc.exe 920 msdtc.exe 1776 PerceptionSimulationService.exe 4656 perfhost.exe 3668 locator.exe 1080 SensorDataService.exe 3508 snmptrap.exe 4296 spectrum.exe 884 ssh-agent.exe 1420 TieringEngineService.exe 448 AgentService.exe 1256 vds.exe 2568 vssvc.exe 4076 wbengine.exe 1740 WmiApSrv.exe 3708 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
Processes:
elevation_service.exe8d73d73cc1b61578e1ee54eb0f4db85aa78ae80b3eb4118ff37e4221f6a1b297.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 8d73d73cc1b61578e1ee54eb0f4db85aa78ae80b3eb4118ff37e4221f6a1b297.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\48b2627a8ed1090.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
elevation_service.exealg.exemaintenanceservice.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{6FB5F2B8-50C9-4E27-9F75-756369A42747}\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe elevation_service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe -
Drops file in Windows directory 2 IoCs
Processes:
elevation_service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exefxssvc.exeSearchIndexer.exeSearchFilterHost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000658648904189da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052fb5d904189da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b9a3c904189da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096fe1f904189da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cea7cb904189da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000428567904189da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
elevation_service.exepid process 1560 elevation_service.exe 1560 elevation_service.exe 1560 elevation_service.exe 1560 elevation_service.exe 1560 elevation_service.exe 1560 elevation_service.exe 1560 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 652 652 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
8d73d73cc1b61578e1ee54eb0f4db85aa78ae80b3eb4118ff37e4221f6a1b297.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 3588 8d73d73cc1b61578e1ee54eb0f4db85aa78ae80b3eb4118ff37e4221f6a1b297.exe Token: SeDebugPrivilege 736 alg.exe Token: SeDebugPrivilege 736 alg.exe Token: SeDebugPrivilege 736 alg.exe Token: SeTakeOwnershipPrivilege 1560 elevation_service.exe Token: SeAuditPrivilege 1436 fxssvc.exe Token: SeRestorePrivilege 1420 TieringEngineService.exe Token: SeManageVolumePrivilege 1420 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 448 AgentService.exe Token: SeBackupPrivilege 2568 vssvc.exe Token: SeRestorePrivilege 2568 vssvc.exe Token: SeAuditPrivilege 2568 vssvc.exe Token: SeBackupPrivilege 4076 wbengine.exe Token: SeRestorePrivilege 4076 wbengine.exe Token: SeSecurityPrivilege 4076 wbengine.exe Token: 33 3708 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeDebugPrivilege 1560 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 3708 wrote to memory of 4272 3708 SearchIndexer.exe SearchProtocolHost.exe PID 3708 wrote to memory of 4272 3708 SearchIndexer.exe SearchProtocolHost.exe PID 3708 wrote to memory of 4344 3708 SearchIndexer.exe SearchFilterHost.exe PID 3708 wrote to memory of 4344 3708 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d73d73cc1b61578e1ee54eb0f4db85aa78ae80b3eb4118ff37e4221f6a1b297.exe"C:\Users\Admin\AppData\Local\Temp\8d73d73cc1b61578e1ee54eb0f4db85aa78ae80b3eb4118ff37e4221f6a1b297.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3588
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:736
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3556
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:212
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3988
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2952
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2696
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:920
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1776
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4656
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3668
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1080
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3508
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4296
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:884
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4820
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:448
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1256
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1740
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4272 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 9002⤵
- Modifies data under HKEY_USERS
PID:4344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD58a5c72e608d24d0e3833e1d55753ba4d
SHA1c50ad63f910d67caf57dbe3496eddd850f87eb07
SHA25685330b747155b74c10af69301d983ff457f8b11012de1481ea67444949194872
SHA51276684b19c321cca568616624e3d359561c7dde4086773c1aec3012323eb8a9f8dfef37ddb72b91eefeeb6b6ad5de63a18273b297022f3cd5268cf788ad24028f
-
Filesize
781KB
MD573f6fe4a654cb08a487a842c1f120d69
SHA1c819e36de125366f9b537b3d4eaf997f5dae5a23
SHA256544e4ff4118a39e8c9bbe0faa137d93409f9bd595901dca7d895ee7fc3572f8f
SHA512e9dd281e433275bbea014e452f216cf7a7a63bd3c7a034c7be287b59ad4bb6ee19ecbe840c673e9645c619bd1b7a18706537bbaae787f2b0eb3408fd2fcf3a14
-
Filesize
1.1MB
MD504cdea81c9bee6024c4b6f036c71bf13
SHA13ffe0eeef2f744bbce5e64a4c585d70d61a0d2a4
SHA256178564c796dfa21714181cd16b5feceb9b8f85c525d9f8533e022630eb214f61
SHA51215d6c375d31665716c12cf7523fb51dce3c8c9322f8cb0320c15205a69a557b8c1e8032afcfea44ce561417f3f2848f87c2f982bd8f38204f821b7ea39d88a3e
-
Filesize
1.5MB
MD506078ecda192f997471e0b0efb0552ee
SHA1f31f961a127444f19ce39b6da53b9017e25fe8b9
SHA256b3de5a81313bc3177553b698879ec5de14c66dde8560d71e1637e6bfc1898dc3
SHA51205c26bab96ee520411d3a901228d613537491ab24360792d60b11d6896dc83478fbb981dffe69c1c785dbd5b015712b846f76c4ba15de33e5d27198ee654432f
-
Filesize
1.2MB
MD534c1cad966e07102222ee7ed939496d1
SHA12a5bf17647114f47a4beb090abc03bab422419d3
SHA256cf08513beaf40760eaf3dfc109bfe90d053b504d48e32a5c47901943173866d4
SHA5126e63e98d41b4a794898594fe10f5c8e306f61404a56638ede5e817f9b7719f47498abba54a13e1ad573175701b6ffa9d1ed040f0d3daf5541e673a98c2d2f4f0
-
Filesize
582KB
MD52a9d0ddeb6fde9fff3dcf78531b8797e
SHA1ff6dcdc5bcbd16083ca08bdfb6508f59acfa5ab6
SHA25622f3809c4064de301a9a017b4fbe617f01e4e733329310498a2e6a2003507687
SHA512fa725869a928eae8c1c67a3a6a096a60b635666a6b419af3db9d87dc8211aa46483734cf128ebd8c9cc3754249819204adc1fa45657d3f23901ae4b23a4259df
-
Filesize
840KB
MD59ef3342c2b5edbb448bf62f24eb941ab
SHA16f81e573a35682b65ec78ab8217280d1024780f3
SHA25610dae320b3a1ec879d6c3ad624d586ac3c3aaed5cbb1efa9a6b1c413a371c781
SHA5125a593baa39ba36538ba625c85213859a159d8a62267cfa851d62ef8569a34de766dac5acd5cda3636225ab3fbe7d3c8ff72d49557a61f6342017300c6cefcc0a
-
Filesize
4.6MB
MD58d1ee8ec5393da512dc5130599ba91c8
SHA1a261fba2d621fc8c5338235e250a4eba8d525ebc
SHA256df4d83120110419f3b2be3ebaec2480425ee686bfa1e3429ae007da25e5544f6
SHA5121ed9bff24e5adf487f58760663d5d2df7dd78f42a652d9bee5f0995fec1fb1d9ac3a4a919c851302074225aa9e5e8792cf1bb9854f9cc13afbaa56e4697aeffd
-
Filesize
910KB
MD5952e35a3898f7a02f07224adc4193dc2
SHA1c2bd364db2bf13a8827723a1883b27ac40b8971f
SHA256908a8d4f3991ee3d2304385f012111cfe81db054706a04ab982f68007efa8fac
SHA512056a119c35d208074ead9087dd69b1c46113e14a9553af3e89332aa2de29b84f07e859e5e3938fdbae09d36077152ecef9905c1c97860263592d83dc185d555c
-
Filesize
24.0MB
MD55d104d45d7230633f79c391ff2d041d0
SHA1e0d20302691635010ebe6bd85e2c9a3df56c1c76
SHA256cd869be2e2b95b071361f595055ea78cb02c58e1d463cf165bfb512d62b87597
SHA51222fee7e9e3a3f0cbef6555bd022374bedfdfd31f702f3469e4df2c1c72b345f496f3c99a38f1f5b42962fc72d7c83ad10c5b326c0133b393e694de82494b2792
-
Filesize
2.7MB
MD5ee3ebc2b76326bcb4589fdb2f970f3f9
SHA1a891c785d18a5d8baee3235e492b1a53b60d3ccf
SHA2568dc33e7ddb60e7000f2a155816676a18071b10a577cc6fcae97e8c02bb94e28f
SHA5121dcce8e22efccd1ef698146071e8d340164652df9fcfe79fe872518c76e9a8b240828b4af42319b703e3cf54039c7baa082128fc0cddd52eb71598686b019636
-
Filesize
1.1MB
MD532ce90f20cdb5da90f97e5ca02099a0c
SHA173bd2f1ab994183295c50e8ba251f7e552daf531
SHA2562119e9405cb6858f22c4bd9497dbfe27ffe804e78bd51519cd057a0396e3597f
SHA512b52d15641d9b3cfa1c1c8d40282c8bd1d81451828c187ca9a89a052a9bb4e95993ec33fe80f3a23f1296c851fb2870659a975508559fe1b372c5f3ec7c0e0ed7
-
Filesize
805KB
MD5d89ce5b240f216a025ab9b235080766d
SHA11f69b1c3644a65327771a6faf0e7c88009976587
SHA25624dfacae92406810e127c94aa7b7f6dccc1ab12a0b920992612ba3c8d47a9ccb
SHA51285727ace0f9ae2277b0a26176a906ac3ddab5c6ad5ad43378c2734e6245e4be0dc713bf0b6e254e43f993961b43639c3b4de9a040422ce4237c5fd6a3be53a49
-
Filesize
656KB
MD54312c42abad636dbf7c992e8da542f9e
SHA15e17e361a091c429652b07fb17dd69908a18b0fc
SHA256b8aa82d7734451f2ccc0bb0436716f0223655876772595df7764f762d854c230
SHA5123251bbb060fc134cf15611acb76570b166f267b57119eb097ce622f9ea76db3662dc0d91178bbabf625efbc28cbda216eee332814870b03414eaf0e038f038b2
-
Filesize
4.8MB
MD5378bbcd8d3a18139780fa47ed39cafb9
SHA1df9d7868c4abdeb60763f3ca798718266b84f100
SHA25621fea25601fcf06cd2043f854eb6f44331897619daec2d43dfdf6f635949aecf
SHA512e32c9a9c1613279dc4b567aee132b98e1fe86375c7e6fa4590a49519e3346e90710b3a13d7476eb9b681f3adb0e95b2099353fc19b364511d4b53ab537088f4c
-
Filesize
4.8MB
MD58afd755f2179e483ccff2eac118846cb
SHA1886e799c31238453440b42a324f110a0171554fc
SHA25604af57a8ac8f41c257b599c9d37b3dae900a701f50d4f4749f95462a545100dd
SHA5126cce2893658a9efcfff17ba1d7149d98fa2c08896dc4acc886438f18fe3b437ed473f73cbd04db685c94797e7dad6d840cd57dee1701a25ea887abb9f81d7dab
-
Filesize
2.2MB
MD5941735d361b4fe608bc47ad50cb459a1
SHA1129e002fce72b624c6ecab8d8051d3c24bda8620
SHA256c2e2809275488fc612a6896f68e9de0ab6543a640d3bed1650ec148abba656e6
SHA5125b3f7374255f0e6887ba56f78fcd7078180c143b169125390cd74a2f9871f37779d19802b93ca2851d219ca1a0caa0dbbe51dce89fcdd2a3db0a1326674b8ba8
-
Filesize
2.1MB
MD5b21d0b32252c12a327ed6cc0f8edab12
SHA1518b26e8483c090f21beef674ed532842343fd61
SHA256143274e6ff1d6daa5b8750358b6de0cdbb4ae3529401a264ef799b941cf960ac
SHA51297868e709cf98036803351b4aa5139ce9f27c971e9515673f9de90da13290fee9fd432ae8b6fc67e4e9b23eb1ccee0facebe854fedd42adb4ae4b30031d5d474
-
Filesize
1.8MB
MD544d2199d0b425a1f033861a3c350b50f
SHA133b1576e41d579756d0264bd72a4eca95523097e
SHA25664471963611b0f8eb2eed17c64f24e6984b54837740f6485a7203b6e9ac576e0
SHA51248c047975af8c3684cef57edbf669080d082721d514f18ab3931818424fa34e230cb17d3309979350f97f662300aa65dacdfe8a6a5a0041763e649feb5664a26
-
Filesize
1.5MB
MD589064d761f3cc6762614174b933585f4
SHA17306e9befde4c96943e479b7a2ed2299aac95418
SHA25644fc9b2746d7e60d62b9c549bc9bc8c335b8f11489fb813ce81c26a743ee5c7a
SHA512ac3fa0519f1cbe3e73b92414de6701ea833b20ce7547559cc13fa59c6245c209fe1515e32cbe9168f4a7d5c8e31641fee1ac13b127e0bcc0c6223b520ed4dc02
-
Filesize
581KB
MD5304b28760d2242ae908c9f1add32593c
SHA1441ab418fea75020e2fd11a369577833a5a12c80
SHA256ca8509f5b4cfe99ebe5384e83d1dd0a324aab91e34f4b1affd5789439abab2b2
SHA512a6b601d67c239d4d2cc97e05a7fec6c9195535195e1bd250e875d55a14978edee63e067c4a6dc82953cb572fed68b2197cf6b4d012ef750edea63d455cd66605
-
Filesize
581KB
MD53d31168be643b43b3d65715a660c5f09
SHA1e3ec190a98d2093b2fce9ef08a6af2af1d599417
SHA25631e82617f9994b38ae04e092da8ea828de7b9b0aa7e61440825cdee0ea1f20b6
SHA512455cd0c324edcba8c5a494bc49c45d9d9341c019715e6b4a112043a4605fa35ac3cb2d68c3ea071bd377de401a5672c4637ddea1fcbae3dbaa8d9dbb37a8d36b
-
Filesize
581KB
MD5e10297f055c3203a221dff65c8b398ce
SHA199a405110dd271b4aa26228654dce44d652889b0
SHA256a6ba5c1d4ffa14f0e370defb2245175f59a743fd8e9a6e598394eaf6da54fa2b
SHA51213eefa1b6f0d20f78c9e54c2c25018644d027995e5981924dd281edab69fbd238309a855b397a4118f364e61e1daf5acba74e4288d25f73e090e3aa9933f3282
-
Filesize
601KB
MD5f05ea598a0fbe889ba2a68ef59d4bd80
SHA1d4a85735bf36325efb54a866499e314f9c1147ab
SHA25696cbcf841a654c699f7e4242722bf52cbd639101cd125eb4a37db8bd84cfb88b
SHA512b2a2d41945144a342e891ba7626641ac6726f15464fd748d05972602c13af970de63c2371fbbeb22ad66f9d450a96a166c22a840f2ac52c6040fa4da35370997
-
Filesize
581KB
MD5aa3a5b29a109bdc6af69516a4e63a12b
SHA1ece626e1d1102e3b5d66a5528c572fd2b9313030
SHA25678bf9e716b6b9dfe8374240797bfb9dc65eff2bd170bfbf1224c59ec580f7fb8
SHA5122ef2ab9d136fed1a64500fc3c9d72ef2c4143bd3fa48130b4a8123bbdf92358ff7bc44f05ff135718185ff936375a02b3178cb9fa74f26741e3ccc39bf36ee57
-
Filesize
581KB
MD51003d465b43185215ee1d02cdce8b02b
SHA1c475faefee759e4cc970e69c25f787a6cb53a636
SHA2568076f61ec4afaa2fbeb14ca83708df8a069fb8441615b36d32ec84f85ac1ffaa
SHA51278f2db1554e0b1d0cae46b9225e522161f1dcfa56fb4c6174d67b5d1cd764393c45c8e1d21ef352c4d5a290b61518418bf8829c90df0cdb11deb1f25ff01bf21
-
Filesize
581KB
MD51de5f0d1fbab138c7baa15fc0e63ebcb
SHA10305efff2543bff731eed74cbef879d98583bde9
SHA256e0bde086587a1ba9dfeeedf1c322f1852c1bccc7aa9585be43ff57d410dab752
SHA512f62c6a13729159bad0dc553f5a82f30efd00d0943f01ae86bfb8ec70fb53b74fc6f79c33fa361275dea4ac890877ee0b9e5ecc096e6629ca3a2544fe2da66af8
-
Filesize
841KB
MD5bcdfaa3981dd52c99840fa332fe44e17
SHA1fd4bdb92befad4f8914f3f075478644777c281db
SHA2566bf69293cd08b1159da9a42921054ab4fdf5d114d16d8a5fa630331cdeb5bec0
SHA512c273e5a4cec1ccb524f31839eda8b544282d14ff2225650e61f03cf54623a1d472672542f5047e20562aa68e5ce94b196b07a24fd5a034d9597f6becd9c91968
-
Filesize
581KB
MD5d056fad01e2c1fdaeaab6377d7e3566b
SHA16453a9521df93ae5973a2797f72d99b8b461929e
SHA2567ff95429a75b2632ff1782cfb5d00677fb39447410075c02d3f0ad5b8b21e34b
SHA5124560fc1552949ca0c4fec913225b5664c9b24f6f78500dc7d25c26408e4c80ea0a90a30344d6842d2a9e73041e9190597b885ecbb4ca9ad06ff424400e24d406
-
Filesize
581KB
MD56943887479e4beb5fe4f47c598e13be8
SHA18184a6fa682fdbd61d87af8f6658596464b7e789
SHA256c6f01398b152a5e8dd57ef6daea1e22373949b18ff4b8b4dee4a87fe420b8908
SHA512a752da925f0e4c780a44eac9f806ee50cca16b9a9724e84f9c53998215497145060d3040099721d3712f42522de1f18145be2850324d37bd29850740a289433b
-
Filesize
717KB
MD506a745d645d338bbd275a78dcb2af454
SHA1f338d40d34ea69922bd411d65ed42f16864144c0
SHA2562f8a26114564e08ca2f8749d8299b5316e15fa71fcee9eb1766f91399aa03cc3
SHA512818cf803a23501fc1dec592c23d6777385e201e05063da69301507fd5fef35fef57e4f1160ede3a3c4f04116671f37172ee9207d443a6a55f0b96b626dd3c247
-
Filesize
581KB
MD59ebd57248c6cbd565e3d551c12c3fa1f
SHA1f1a78b2e55430cc5577c9e68736cac6c03638f47
SHA256d8ee893eb4516a9e6750481b4f0376cd12cc203f142fbef617bb84a2aeb06352
SHA5124b5034e5b271b18889dcfdea59703f3a5f764e1becd977d6e3681d1501e24514b448bd3ed3a0e222c19868c8ef2e65eff459ee0d42580998f170213ced1d31d3
-
Filesize
581KB
MD5dbb24ef71e98f2891c58e35742a6ce67
SHA19f48ce4d382f996fd17f39c86614154bdee38f71
SHA25632862adaf7b593d41aa1cefc4814c4f24c3f7789e6703e4ec5b583bbc0bdf995
SHA512d474feeb4d5ae655c9c63cbed95054e8a2f3e62086e31ed540f3f05a53cfa669b07c9837517cbd497dc2809b536c25142e8dc7401a9d1b08116a8aea71fc66c7
-
Filesize
717KB
MD59dcea79478837200f7d381fa8ceace5a
SHA12d66d3d59c40541e0273296caf5fe1a3c7637bd8
SHA2563906b77e7fdf541f3e9fa63f983e7895172ab76d2f1ada25364293e87787345d
SHA512d7c621ee7b06cc496f4ce9dd23f65700c8573fb481fe977309ce4cec7a9715156e2ce1843fc403794e80a3c8a17a392e2c0e814f2e8b129466efad0fb3fe9e13
-
Filesize
841KB
MD54c15fcbbe9eb097c92d12b93e6838557
SHA1ae80701f6f31cd73b8a05f947d2d23b374df7267
SHA2564cbe9c2e79ac46a92cc7dda95dcade58965da7b2b3e823bcc6b404278e561ed8
SHA51271a53082f527aa7893e82247e322eb77cc289710c229603ff04dca89a4f4fbb42ec1080fe0b2a539a443e9489935d88bed7f22034548d1ecf83d8ffd2ecbca13
-
Filesize
1020KB
MD5bcc054e92afcb12d58ef18e1fbbf1052
SHA15ae5e1b371151c4680e31a3d07408adfbe6dba43
SHA256744f7225236a08af0f944492174332490699487e6892037ef91f4baaeb5ded53
SHA512c28fe65c0bb0d58bf8658c68e2f9296abb42f76e8547e25874fc659ba20010c799f385dfb4f7e42179ea2369339441211ad8f6af4fb580b05da530210fd6f3aa
-
Filesize
581KB
MD506d1c7c0f457097c6a596ec2c6cd07c8
SHA18c94d25a0d1d51c95ade75874c2bc9b8609fc565
SHA256125d239360081c3ab4600af4e24523afe7c13306a7afcc8ec2f1b2920b98e8d7
SHA512c800964dd4c679b6540c4e1ceef1ef9193b09e9c897c9e816b93834fef4d5d74aa1f1021cb29f96b4b1480a1826cea5a6a60297d375e34c45589681fdb6763fc
-
Filesize
581KB
MD54ed359720454eda273824db7d854d158
SHA11f28979d976733e85c2e9cca32f8932d5304451b
SHA256f387a998b9f6cb7c2602cadd02ef1192d2523f9c0b5b2b02e82dcc0d9b711ddf
SHA512a696c1e2a449a092e9643e716c9066f100b6d490d8111ddbd55a7cb83104f09a2f157b809e4933c9d9c2ef6a4a0d236acbe209afbb35d0ca33585e70aff1462c
-
Filesize
581KB
MD5f8335700ffa3dd0cf6b03070afc18630
SHA1367b75aa1a48ab530a0cb730d515b248b445f594
SHA256ae5bfa395791391ea1c82177bed155659199c1614d9809b5e6a2e4bb63c57664
SHA512a7eac45ee64fe040c98e38b52714274d40d61d198f9d69cc844b7bbdf5625014dbd40134bc8668b63bcf5fdc631d2d35b0e1a4e865d06c258e3f9d65259ca08e
-
Filesize
581KB
MD5f7257073ed007ef05e68075e67c854b9
SHA1c071384cee4250457d39b995a85b83a2df215c68
SHA256cf12837a22ae3afa7ac9378698c5bd4d9136044551ffaaf2244fade2334b230e
SHA512d63906d48b1cf56d69fa41dc148ed84ee6972beb31a248772513d81cba1fded1185374e0aa031d48c298203b755ab0848e12528a349b43c12f657c0b9a6db8cf
-
Filesize
581KB
MD5c94a1cd164d74660fba980cc71b9e585
SHA13ebf62ab011137f8a6cc5476825d247b045abb46
SHA25696035d5fdc999c76374f3c64c62bdabd084c8218cefe51b7a41b119322355e97
SHA5123fc9828b77b9c211889e5f8c8fc295dc16ab347d04d56b34f2ed5a0a99fa6ecc6a8fc57294838dfa2a44e8888f937fe2e8e45ee97130f45bc7ddf0c057e35d32
-
Filesize
581KB
MD5b34829f7861f293ed37e34b0141b796a
SHA1c7916bcf197934bfb72e4b4d76dabe4914fec0f2
SHA256ad3316e9263e7b0e5088256e156c88b6d52eeaf2f78589c503e08db0fee3a39e
SHA512ff0bf8599ffcb70264123c257fedda391bdaaead363aa0d52763e702b44310a9bd370b7728dd701bbe58ade2184cdd184652fbb49441af420e16344097d1da3a
-
Filesize
696KB
MD5a362c5a08f4221ecd48eb6f9bdfa7f21
SHA13789f396f856303911345d36c1d449a6c549f6be
SHA2568a443dfd014ec2271712d8f813ddb640bca3727b777328d21d707a6adba98b41
SHA512c4dbb6acc3ec6e664c81f797f3295b0befbc1a4107eda9215a083239d3a65b8be40a472dc34a63571375117ba7ed7a1410bd74f7b7e530934988a69851afaf0a
-
Filesize
588KB
MD5142ce94d1a5f873a9fceb379d0889176
SHA16a9e1af0c6a9279721269de14a52e3987e1a5c61
SHA256323ec1acfea0cb5666c278db3149fd1ab31b7c4245d17c44ef0ba45a92870040
SHA512fdef4fcfb6f7dde116701fbff8519a7bbc4895034f7b85828f9b9be42da1d25bab1de46f5014f6d4d0e41fede663b9d85c34f6a2fb1ca484636e81bcfde897a1
-
Filesize
1.7MB
MD5285f8130c86e4f779cb26b1060d9df9f
SHA1ca379fcecd4319038d898295e12ede495a78e192
SHA2565858af2b55170e5428c5d6f4fdd7f7c9160c8285dddf919308187e8f8070380a
SHA512e04bc6707927592a5034f7f7253c8590bad4bc0a93b8f7965eba1438780db32752aa71bfdbb8d482f70920a9abde10f488c55ba77ce6f57aef1f8b1f9de2cf56
-
Filesize
659KB
MD597e8753d386a6c54080af9335665fad4
SHA1eb4137f7b774604a312447d71fd5b1e002f65ff8
SHA256b20c2a687be50680440e89369a95c3132d7caad8f1796afd8f8c7510100f0186
SHA51216f0e375fad18c5906781f7ea6ecf785d2496e65acd8b2b79dd87b168686a48001219902b71a7284e6d3af43290d882707c155f1549e6d18b7c1793527b6751d
-
Filesize
1.2MB
MD5485251b1d33cf119813fb8e182265318
SHA1c83761e4fe711f2a01cce7431c7c5f6300dcb7c5
SHA256a17944495c651950e89488fda59d675b1df33716c4e6c2d544c287c81ec8334a
SHA5124022a8c8c1372091feedddfe3c6c4b2782c8d83ce195d2c33d5dff532bf6c200ca11e8ddcc1e328f637924ac39fba89dae86878d0c0c30692f13164441a2fa8e
-
Filesize
578KB
MD5ba3970dc5a2439b6ae89e6db10926184
SHA19243b85e775f56b0c41ca0e428e0edc8dea17063
SHA256796f9aef9376f1603289242c703a94a5f8b32a224fc9fa327ce2f99a8a237ca5
SHA5128e3dc7273fc140c73fab181418ff96c412cbb323cab7d86a14025a885af3124c85ba8395f84d73c207fc1b4175128c3edfae9cc9696b86475372a4bfdffb81d3
-
Filesize
940KB
MD5ea7b1475813c8a449341f42e6d2def5e
SHA125649fa583ab9204abcc5c27e004dda8c2cc37ca
SHA256eb794163e069ab7aebe6187c031c32417a85b2a7349b33eab8b26fc19acc9172
SHA512c850b9fde6df0a1388c91e6aa79461a9cac8da5c66930a701113cd0738ecebc8a411c586944868f6f15267c1131cba3399366b2a211b9f70786674c4bbebd277
-
Filesize
671KB
MD52e71ccbf061aad05502469a67939fe0a
SHA11a3b5e2defa60df2aaac7ebec2409d905919325b
SHA256d6b9733131497bc4f096f3f495205cb0cf5c89e70158b542c1d8cfe84bb1b3e1
SHA512e8e5fae04259a4bfaa05c01f7ae290a244ffca59bf18f3b96905e825fefb76445ec53459864691903f5059238cd4fb1133ce72a9c6257ef43877427b5469482e
-
Filesize
1.4MB
MD5ebf7d2c1bc787be011842b745ca573e7
SHA18f6b3b31ad94ce9719584153bf47af7fe8652049
SHA256704804cc24ef7d02d2c09a40157c30e386515dd4141c9afb28eaa731ab6b5ad0
SHA512cbcd5f4b8c89d869e833612df43149057e58ba5db7456431ea152554b7621081b94d208989c4eeca0efabfa4e3cb77ef11a00de9af410ee8505f934731d95bac
-
Filesize
1.8MB
MD5a720f40fc563397b57b8aae3cb1dae14
SHA193cf8c84be255f04ee24ab375bcc3c6c1551cc5a
SHA256c56c04d858b9f2fa3953ec4c1d58fd862ed2c1885f045fe299db0c899124eaf7
SHA512761cfad9fb248d39ad52accabba4c4ffc14e18b5fd168d28580aa13a6674983a7a284a4421d0fe013da47829145773cd6afbfea9cf6c99120cec01232ca5d5ee
-
Filesize
1.4MB
MD53162724cba9ae45322e95475a05f1ae7
SHA1fef7dee0c6c07c4828364d49648dd912aa2f4bdd
SHA2566870b95bf06d2474c8d2984e3369cf6ff5b615550cc67cc77290bc6e6e064572
SHA5124540e00707923f6cccf9f10acd946f6d88f398da23248ee5af5fd47d47b22244d0f0dc4fffd79a20c7821eedbf024a18887e7899fe9c4babca3a06645463f957
-
Filesize
885KB
MD51c9fae53def13a7cd1017411688bd92a
SHA1de70300075c0af579567d2bc51a023f21be207f3
SHA256c4868d0297845016fa07c06e753b9100b847eb8f3f9eda7e5904e6ab1bd853b7
SHA512e31cbba57454148e595d8d965caeef578cd4ac00c9696f2d8bf98308c2708b5731dd13e79c4de934541f95c7d2fa2fa7133f85455dcc1b2308a6303850c93e21
-
Filesize
2.0MB
MD5db0868ef3cab861667249b7c81bdd6a7
SHA1e1644d7a354480a6f3b26777f72c4ef85ad584e0
SHA256490a47239d98e6d860b893af5726c0255b9c8bda93781dfae1aaf9d0803d00b6
SHA51299f170ed6d1d493bfa90e99e8fa8e68b07e2002e9b03447c5e5423a1148330f1743c3760396fd56759f06fd3d42866feed3ebf2a5ec12fa808d1d510cd9f8753
-
Filesize
661KB
MD56e9ccc11c6afacadffae62797974cea8
SHA1401e307bcaa97176011c57f227a02e1f80e7ee19
SHA256757bbc89c261d65703bfe34a3ba30f69cae8af80ae594e8ad7c25010cb0274cf
SHA512b5bec9286e8e996a992c8e92da60eb43b73fe05a5e40a45973efd6236d18f0add4c15b60f436f55db962840c5fd08cf356d036571cb5b2bd656fd4ce404e69ba
-
Filesize
712KB
MD59d7974152637b8342a13ef18040a7b5b
SHA18cff55c4bb8a81b36bef16ddd191742d3e8c969d
SHA256c74db41f8b258fad59959500f0fecc24669a732a581a74a89d1d66cc0cec4587
SHA5121224cd62c91b84ad8ccceede71008c77405be1ed3a85d6724c388465440b43fa53ddfbec3ac3faa5821f85498db8e1b892d5a91906d2bc46cd777f9ce53eb871
-
Filesize
584KB
MD5f06959f5557400df881f698b025def61
SHA109ece9425b039a98409349b43699212b6323868a
SHA25642397be5cb46c50a22e3d938503631fc524f4fcf8341188140bc53ee0654a65b
SHA512c795262479188f9fd729cbb3bc50ad2165e503b0d4f9211f983397a1911dc0002f6c54497f29acd5d0fb07f2926eb9d016e694d60da62bf2acff1dcacd91ead3
-
Filesize
1.3MB
MD540bafb1ba1152326ae046514e6cdfa87
SHA1af5a5b12f1c8c9719eb4404b79653cc481dedded
SHA2568fbd20d1b2b1b66631d5ec5e2942a281d04665854ec9454ca9b42d4fd12d0adc
SHA5128403159a185b6a5ade3c9234d5a018eb0fa884ed681e17d973df0d1f15e2a88d5bbe40416fa4fa2d658d6cd91e08a657cd94206c91d65583683d0467ef9f200c
-
Filesize
772KB
MD53c54a7268c3d698a62c418853ddfb5cf
SHA191388d4737e8ea683c4da8b80a7e13328c017bf0
SHA25698f9c0203452d00150e69bda78ef64b69e7dab43b0d26adc42c5e9cefbd773ff
SHA5123e54b04398894d5672aa933c859d65b2fee6b15bf93e4691e6267fb4419e24d4271682ad174b92e0bd13e8c624294838f3ea0799c28dcd591f7568d5c0c53078
-
Filesize
2.1MB
MD57209476e8162c513a23686c5496b0381
SHA1c73b3842b83ffc525bb88a81c3d71bde38d08d06
SHA256ef0322432ab882a7227b5c193866fb5127f467cbf9909e6426212569e3e71256
SHA51243a13f1e8bef7d724e5fecad6f5130968d8e55584c23a6d6530a2f24f7f4cde070637c308c7324e60235b5a2dbe6f9cae209899b5b8557d3c856b948aca92e66
-
Filesize
5.6MB
MD51842650640cb93204a2d02d5e27bba10
SHA1bf0b597f1fb7588941d850f4e62cad66e8625f43
SHA25618203f6a3802f87dc9e63bdfcd7ca002d836d8433c5c33134462bcd0e231c51f
SHA512a72b1596b202d4bcd0b12a95795c5b03cbb1ab1e2b90ff8373d66d9bcb34757d67fd59badd03223d19cf5a4734390eb4756f6982e5d63dfc5b803cc3f17b4de8