Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 22:58
Static task
static1
Behavioral task
behavioral1
Sample
d15bb8084b67588a9e298fb6b6766786f7c80cb01f1d3018172781424a99a5bc.exe
Resource
win7-20240215-en
General
-
Target
d15bb8084b67588a9e298fb6b6766786f7c80cb01f1d3018172781424a99a5bc.exe
-
Size
705KB
-
MD5
d62bafb7c6bc93c0e628a1c5d508850a
-
SHA1
df5b7abe638d4a52c8b5f797d368f5deb64ee40a
-
SHA256
d15bb8084b67588a9e298fb6b6766786f7c80cb01f1d3018172781424a99a5bc
-
SHA512
010cc3a5073f66328e6ce118c1b444bf0fa267a0c0c4fe369d103bdc8a33bf6255601fe2cd57cce965e149275a04213b62eee99173a299637fd6bfaffcff8d7c
-
SSDEEP
12288:vW9B+VoGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPhe:vW9BCt/sBlDqgZQd6XKtiMJYiPUe
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 216 alg.exe 2200 elevation_service.exe 932 elevation_service.exe 4488 maintenanceservice.exe 2432 OSE.EXE 2652 DiagnosticsHub.StandardCollector.Service.exe 1452 fxssvc.exe 2888 msdtc.exe 3236 PerceptionSimulationService.exe 60 perfhost.exe 3808 locator.exe 836 SensorDataService.exe 1188 snmptrap.exe 4020 spectrum.exe 1556 ssh-agent.exe 980 TieringEngineService.exe 3136 AgentService.exe 3472 vds.exe 3228 vssvc.exe 3732 wbengine.exe 2316 WmiApSrv.exe 1272 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
Processes:
elevation_service.exealg.exed15bb8084b67588a9e298fb6b6766786f7c80cb01f1d3018172781424a99a5bc.exemsdtc.exedescription ioc process File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\1d47731f2a644d7f.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe d15bb8084b67588a9e298fb6b6766786f7c80cb01f1d3018172781424a99a5bc.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exeelevation_service.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe elevation_service.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_124281\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
Processes:
elevation_service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exefxssvc.exeSearchFilterHost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071ffb75f3f89da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000edf725f3f89da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6035b5f3f89da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d5dd345f3f89da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009da1fe603f89da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df7aae5f3f89da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
elevation_service.exepid process 2200 elevation_service.exe 2200 elevation_service.exe 2200 elevation_service.exe 2200 elevation_service.exe 2200 elevation_service.exe 2200 elevation_service.exe 2200 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 668 668 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
d15bb8084b67588a9e298fb6b6766786f7c80cb01f1d3018172781424a99a5bc.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 2892 d15bb8084b67588a9e298fb6b6766786f7c80cb01f1d3018172781424a99a5bc.exe Token: SeDebugPrivilege 216 alg.exe Token: SeDebugPrivilege 216 alg.exe Token: SeDebugPrivilege 216 alg.exe Token: SeTakeOwnershipPrivilege 2200 elevation_service.exe Token: SeAuditPrivilege 1452 fxssvc.exe Token: SeRestorePrivilege 980 TieringEngineService.exe Token: SeManageVolumePrivilege 980 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3136 AgentService.exe Token: SeBackupPrivilege 3228 vssvc.exe Token: SeRestorePrivilege 3228 vssvc.exe Token: SeAuditPrivilege 3228 vssvc.exe Token: SeBackupPrivilege 3732 wbengine.exe Token: SeRestorePrivilege 3732 wbengine.exe Token: SeSecurityPrivilege 3732 wbengine.exe Token: 33 1272 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1272 SearchIndexer.exe Token: SeDebugPrivilege 2200 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 1272 wrote to memory of 368 1272 SearchIndexer.exe SearchProtocolHost.exe PID 1272 wrote to memory of 368 1272 SearchIndexer.exe SearchProtocolHost.exe PID 1272 wrote to memory of 4856 1272 SearchIndexer.exe SearchFilterHost.exe PID 1272 wrote to memory of 4856 1272 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d15bb8084b67588a9e298fb6b6766786f7c80cb01f1d3018172781424a99a5bc.exe"C:\Users\Admin\AppData\Local\Temp\d15bb8084b67588a9e298fb6b6766786f7c80cb01f1d3018172781424a99a5bc.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:216
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:932
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4488
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2432
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2652
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3828
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2888
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3236
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:60
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3808
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:836
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1188
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4020
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3120
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:980
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3136
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3472
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3228
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3732
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2316
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:368 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD530b1a32186320f97de3b0b620c76d6ff
SHA11a0b1cc76c5cafd67e9653ff443bec0be1a1640d
SHA2561f6102b35b8af9af40bd28aa024cb8e224035030fb6cb42ec606fa39a8d3b4eb
SHA512fa931c3ccc9f014cafa50f119bacca7bf8151adc8adf4d11ff2ecf0f1bb21f5ce7b4f1cac2fe895c01d77989283504767362562bf915c3d897291c35e17f8c43
-
Filesize
781KB
MD5efe1dc1c1f1204c40dce9f0e2dc21180
SHA1cc68e0c912575b3e17c127da82b058cc10b9e6f6
SHA2565fc954b8c06ccf30c5baa087380c1fddc681bbb36ea0d21e5b135b4660911536
SHA5126018ef920b3bccd23c4e40beaea8ce199f189eec8ecdc1d64a567f9297e3c64ad0fb0fabe303f6f713d2761e4d8c87aa2b4482c37f5bd310d23e268eb1d87d07
-
Filesize
1.1MB
MD5065c4deb9106cfc60c984f89398b879e
SHA110639e56adb4f24c97d29182a64ede4e46b613d4
SHA256116214987c16e85da971477ffbe21666b907cac7284fa60d5dcea04fb195b254
SHA51242022479792be74e3adfc2d9e5a8d6b2b0b70e192c2daad7949c9c874a769fd37ba329d56d9167a9aab287a1c0277033e4cb786c1188150394b00e0343b3a568
-
Filesize
1.5MB
MD57ec0bed1f2e5cb46b5d3b0a0aa74d3ed
SHA1232e2f8cc5a2b0b46e0274a051065cc65e7d53eb
SHA2568ff522df5fbc95c803aeafaef9beb47f5d9ccedb9eb806d5f2c5823001d3d4b9
SHA512e880f324fdce9e31ab6b811167d07e1a8417b817e1b76d33173127b13140d27bf1b8811d39d40f504b652d33c5985b51dae54f52a7e38b4af65540251aa61c31
-
Filesize
1.2MB
MD51fce8d10041d817e7c5cf04d66bf3a1e
SHA1a41fe9c6f4854a13b3a7f2a0696303dd07e2d713
SHA2566ba6fc99beecc9ec071e96a3786d5ea1a7b992c8fdcde2c78ab7798e949d6e6a
SHA5128e9570a81cc054c8640a6c8f0b39fdc31fac824456afa2ff559e47511b7f91b34f7c2b49d410195384ecc73ff10fc43d7b779c4e86dc0104a5eefdc62467facc
-
Filesize
582KB
MD50c1ffaa7f94735a4ebd65b197a31e384
SHA1856012aac2e016ada9688242d2a5b3de7eec7707
SHA2560c0877643279893e218b28a4df4b4ac211aa5ddfdf8e4b63f6da3b4556f33a16
SHA5125ce61408fd56180b7c3390e1a3d6e0f7d2ea01d482e86d79e17bcffe681bbce1c2ed5a4d00899286f160b1a5eb5a9dd8f3320244a1ec61e73ee02f1e88d1cde1
-
Filesize
840KB
MD51b52b3587326198873a0c6e12bd9e0ac
SHA12dbc8945b7993c5a463de68ad3d0bc821c17a199
SHA256cdb52a08098d017628b5666cceeab546149e60859a7a9b6391c4cfd0bfd81721
SHA5126bf929a0f464f6b9e16eda3f1f38b901b1e5a393bafef821333ec6cd8ecccb286ca5180d0651bf8614a23694bac348f58e996164358e558ba350b5143b97634a
-
Filesize
4.6MB
MD5cc254febf3bdde61d39e18f4e0fe3f09
SHA1fa44c03b2938401062ddc59de0a2bf959cfc30f5
SHA25661642ea333ec9cbfb6048b9218a61b85fa26a215e6922cd01de25d4a373f8efe
SHA512596d6964d757bd007955c9ef6311b2673467f874858366b7bd1df278079c8a58a3cc2aab835821c5da2515163404fe3c5b27041ff2c514a8b5407c52b70e4a16
-
Filesize
910KB
MD522a137189f54562fdfd8c3f2b6f737bc
SHA12c820f7fc5ce8c2e1954da241a6d77175684b2e5
SHA256a4bc98fbec6cb1778f4e1c627cc54a02458e50c7b9b73a58a6f082b8b4909895
SHA512ad5ba660403e8d656cbb7c18fc7298daa7e03528a5a537027449e0d0f19f10f13a1f3dd656e0164ff59a8262245ce18436c31f2a8fbf4574a83e72e1b4ff84ef
-
Filesize
24.0MB
MD5e2a7ba3a345b54ddc12fa07853413ec0
SHA1db47e464abaafdd0137dfadb1ef9ed1d3f6ea441
SHA25649dea682eced021c68a3e9bbcd8343fe02f447ab42d32f9e4ee592f74fdbc8d4
SHA512db3af6eb7c5cdd015f45fdbf5dbf305064f25c6ed07c32fc754c1e539c5a07e188cce5271100ebf86c49912ee8e57fcb79e4f8fb292226215b1fbc1960e5df29
-
Filesize
2.7MB
MD5720eb501e7bb597b630a59eff5461e52
SHA1ea4d6fac9764c0aa5f95c82580b0b34cf85be901
SHA2564d86c945e7c0f146c4cd8ec7cacf60f50f8dd2ddfc21faffa9c49e8d91f656da
SHA5128d61940e8c84cea25c5600f51da1678220aeeb6b4c8b120559a221d1e896b9ef20fd2d72f39b0fd0299df0e78221707fee2fa7e76cd946147b6c1caf716b8931
-
Filesize
1.1MB
MD5e7005d7d69e58fe9c5b08f4e3d1706c2
SHA163de0e01a47e8a0c58bdff4136c43cb871570379
SHA2564a5f6dce1dd85ce6ea4dfb6d20462933300d7924222d1bfb1f0bbb7729e00af8
SHA512c229933cbf4818f0907e7398e36ec4d534c58be1acb2e8d804588d5c0df678543798316a43f761071b3c0ac4d68c853e1641017c6a7bd56c5ab7292774f4373b
-
Filesize
805KB
MD5322a0948a1ef4af2e6fcaa1af992d229
SHA10b832116a334e9053713a40c09c1f67279acb2b3
SHA256b50286b317cd89adaff5d638e0d22daa6c587e0d4da8e10d777ee24f2b8418d0
SHA5126a8af47e34d2306a120fe6b4f6c1e758a27877a6acf389d65495535ca5f5c652235f5bf6179e076a5e426a9b46288b9820b2e9ba6288161e51b8cb3586cbecc1
-
Filesize
656KB
MD526904f42665449bd8d662b11b254603a
SHA113ae0978a0ca09c69a6beba00c3071596540fee7
SHA256fc9b7fd50b2f5a684b175900697a6e9a2e762352084f6561a5dc1d3b19e41355
SHA5121f3cbf56a810b1e3b025d6e61b8028215a689e3c8a96c83cf32e8e212738e8de32f06d1bd4e605fc307a97554a6b2204697712671f65acea2c35cdd11098377e
-
Filesize
4.8MB
MD5251699f2be9ab8dd94188a5a04919d60
SHA1cdc21e9bcc147d0c57d40ea44c9c35d256d91673
SHA256f3a6df923000e899a7f3fb0cf15ae81bae9a8752e234284eaed040d9de5df3fb
SHA512377e04ce65bf7ba3c910012da0670e41ae378c83991e1774cd99a32237b27547dd834a87845ba8f60550f65eb62dcefa7bfc4fc7ec927fef995f93ad62e8fb45
-
Filesize
4.8MB
MD5d8c8b7236a9901a83276d0f6355a8e3f
SHA171f2279f9c644d4f98b55c165c354baedb0148a4
SHA256905c31515375b85c1cb80d2a2a80dd381dcea718415be9e5f542123ff5a4d2f8
SHA5128981490233411660cc4625ebdd4e24fe163507d9a0b2b713e9fe9453c977685b90e50f0298f350231d507987a4908e3bf590d92d6bae7748efb776a8b84cb836
-
Filesize
2.2MB
MD5a23fa599fef366a772ac016c9c7ef302
SHA161534c3766b7718c9e2edeca23019e93681f18c5
SHA256ee13a1fc85ebe8110fe66f7898d58a2526a6633aca8c1199e779b9a27e8b9085
SHA51254a77d7f7a84394e831288f328722eb61cd17009dfea674dde1c59cfcf634f2bed933391bf74751376a6259a0ba832ceab8a9d527dff5d839ed6171378c3a1fa
-
Filesize
2.1MB
MD519357eb6df6a96bf4f6168c9a19d8ef6
SHA1435d8c95e0c179b0b82e4a0318007e7d73d5b261
SHA256a35193e37e8553172d583fc2fe50c4a8b197af7fb0246fde4891acb9ba45fa0e
SHA512f41c1edf4d49ea544118c4e2dba39e5949d6a4d945a19825239c671b908e7ff6b7dd621ee7ccd83c334018fb5b172a3a7fd0db77ac3054c099c2edb75d906d40
-
Filesize
1.8MB
MD52205316fa5e39dc0d0a5dd419f4ba2d7
SHA1614b7aa80017c240faf6b97a153a1327b1750393
SHA256163c11c83b4acfda6d3a66d2891f1d405790c937d3be6dc929d7679bb5929785
SHA5122e6666c564a42bc7faa895594bc46cb4c277154ff405825bcf99a77fd99bc815085c94ae040197ef7a54833acc36e36d5a172cb7386d266f3c8c953d1d35c508
-
Filesize
1.5MB
MD52b0f6f221f0750fab17b76b44907559e
SHA14cc5d501a5595537503acd6cb0dda6bff4474490
SHA2564ab6179299e385fdcdac469c32e555c9d84fad7bed17e3bc98e5b8ffe1401d37
SHA5128067acf428385c0f74bbc9553021922eecb373288fdbe5d8f954c8a3766ba14c36aba6ae7cac58e4a150e265930fb3ed34685ae98f568622334a412b50f4ae76
-
Filesize
581KB
MD5900fdabc4feff3326ff7f59a5d567c6a
SHA1cfd1719c95368b105f662d7126e7309c889f5c84
SHA25613813371fe7404f7707625aca5bdd6a9c7942852ac305c3ee5fee69771eb9519
SHA512c6f449cc1739715c315a8c4c0a62bbabbc26b328e50ac0ce281db5be9b64823c8406b270121416e908e936bf0f94dfc87b461efcac7d5f2e6550c964c5fde4f9
-
Filesize
581KB
MD56d90bfaab0d3dad6988c1fbb4333b622
SHA11885633ee53c6d5adcc6d43adc5c10064d58d013
SHA256be19ac52211ce95733da7bda2e4feb073455cc8ff8e087df3984f4c6af2be7ed
SHA5124788af192f5d103b42a696464a59c4c227f1b79c0135f5e29556cbc6c4c94f9aacd4ca15bffc703439cfdd92b62d21e323fa7c70c1f3814441d141379ba4d89b
-
Filesize
581KB
MD533cf79002de52fd145e5ed2bc81e4db4
SHA1f83979ffc9c6ff5d14bc82d5237d42aa6323a63b
SHA256c439e2f1df61f157b73a413f3c47a2adc7b46ff738b3d9d6663f095b045fb9c6
SHA512375afb09c0ba2f2c010b1d0481f3a639aa92edc84d4ef667c3ea733e29c626b8c05f52fb2f95998f9d37347ab590e29cc7cc1fc9f5763f2a3e43b063a9b9d709
-
Filesize
601KB
MD52120207a58757cbd07539ad1f2f55a1c
SHA192e36c1af19bb392835a9b25da3b8c8826022199
SHA256fd8ff7b0a197a0f4bfb7eb5fc646bb4086a3d119d74a6a7ae430f5ce9481a651
SHA512e1fe79472bbb5339909d1bd9efec0b4fc3aacba88433ebe15815b6d6316835859a05d5b272c378633e641cdb6bbd65824a41889e0ee7c8a9c2bdf86281677c54
-
Filesize
581KB
MD595c28560606a0b918cd22a45f5dfdc6d
SHA1b0655eb65af030d00e1ae6c92b15a99e827a2438
SHA25691666b412d014b4a6580e7ad93c7d644168661a2c7a22cc17cfc826fd34eafc6
SHA512180a7227da9caa8d54b1547bde70d14eb0a1c06e381aa34348fa4f81a71a218781bf72635a54055475b439acbe41f982c37edfad910b2ea0bc09dc4c3434ba42
-
Filesize
581KB
MD55633f7154f743c6408ac9ee867280849
SHA16e9a899f27b815a243b491888666a7e807795afc
SHA256409c6a33df008c18c5aad50fe243dd41b7cf4db395a963200d9b9b773f12c076
SHA512ac6a6829b9ffa33fb673c7dc159c0937036e94792dcce5c02ca699251246d631847089f7e44b44c2c13749d1c9da7243191f962b8050602cee14f229ee447054
-
Filesize
581KB
MD556bc9d4ca4a9661dff0a292a985190e2
SHA17a96a195ae18b672a95af7d8d7ef855e49accfc3
SHA2561f0c3f432a695c379655b7fd6ec96638bbcce28d9c0f40c397d19eeec68811df
SHA512c200e1e71164a72636a4ca015662deae94c11d227f0fc219a351f1aae1f9bf5f4128fc1df6f746e69423c3c7956bbbaba0a4e920449838172a180dbfe2d9459e
-
Filesize
841KB
MD50e676b278657e28ade95359bb1a6acfd
SHA1c9d9665166ac9067f443f07c89a5010594ef8615
SHA256bf429b160b3df115b6b292dede7f7a420bf4235d0995ff9604c0d3ae0f16d5cc
SHA51292ccaccb0fd09c96155173d9ea8eaf8cb7a8f0c634f861311a09f8645f0cd36b533361113583515944d0481f0cd986cd7abc6b86947c5e0e9f5c9e2b5172f4cf
-
Filesize
581KB
MD5f750517077bea57833a0c86e121350aa
SHA111e6fa5b1d81fd6e3f91f5131c5f381cca24de6c
SHA2565e31e373ad2439248a75dff12acf4065d7d74397fc1ca2bb720e5e50f3e92e41
SHA512882056627e4ddc31f5f1b873e12451c0672d4e5f2926182fba3e8feb5c7e5e60899c6a63f593822fa25aeff7ea65031745a69a53bfdb38f8d2c45ae1a47639f2
-
Filesize
581KB
MD5f44ceb26342d3795d707bab52d0f073f
SHA1ac72b570ee52f1b3e761fb59679e868a3074286a
SHA25654d95816403276e669e424b756ce727d152786d00e9c4fb3ec2b77d367a02f2f
SHA5126fe67e6bbed185b4712044afccd686c0b7f5cf8436f3446442fd20e12b0a015f41a7f593f62a85a777d020c08bc2189f115faa81a4c9871ad3a0c1481a713a1b
-
Filesize
717KB
MD5d9b800c64e7079894346929683727848
SHA11fc652b9e4eae51a379270a39d1706a63428e393
SHA256a52e99979d7504d484a88ef6c7669dd3464f96c9ce0ebc8d8eece056efab615a
SHA512ba52a35f0f587aca7bf106577f72351b5703026ffc0e9e3b098dd04d7938b1508bb71b1ca046ae623d5cac22ceaaf7dc4b91d49f83d3e70d63d890eeb1111731
-
Filesize
581KB
MD515c3fef139c3caf45c41b94e73f5cc70
SHA1fbe38d81498779d468339db0353728aeedea156c
SHA256275313838b7a2f085ac5d5916d0b6bc2c7e3937b5501fc89e95f192ba9a01394
SHA512050dc05ae2260e8775d7c5a8fbcfc0f3e53a82852eced875753fb93a3b7bda010eea8425fa2324adca658c7ed0f3d195a97d0092312287f5437632ec9125854b
-
Filesize
581KB
MD511570a711340feb53a8f27f58e5139a8
SHA1429daf388456a040af8136b151b2bf86b97e6457
SHA256826985a12ea24f77dcf5fe3fdad5433a12ea4aca11da108a330dff3b155f1dc5
SHA5122c72c03c210896a3a2523ccb32f4a4125c5146cd16bd2ede08a2516874cea9aad2d6ef9c6d1d51af9468757ccbc6a70cd5b75d7aff999c991679892e6cacb7e6
-
Filesize
717KB
MD53ffc133c634a77f698c7f49dce97dc6f
SHA1348f5be151465b111da1ee2ed0cc0dd8ca4489de
SHA256966eeda7a5d7b8fc49e632ddac69c164290856d534d29d5fffdc0bd68efb6446
SHA512d2db2c4c0ee01af9daa12567047a4e3b52405e71432bae4af88e74df677b3676f29ec6a1f446d60f926f8bf8ddfc49c870f8b29c5439e1b97a76ed46a31e37a2
-
Filesize
841KB
MD5fe49c20dfab2b6b96ef301d3f725dc37
SHA156123ee264375b4215c6d5727652ad407c827fd0
SHA256a1425781064b4c68ed2675ef6a5910f29c884d283e34234792aea00f8f011335
SHA512063376fb6242687697a246c8a934e8595d5315de054c514772eeff98640d2093a2033aa950b25fb15af415f04cd528ae39e89f6dbb72848800e45452f87754e9
-
Filesize
1020KB
MD5a8de6919ad1c96e1d52c0a50e93ea580
SHA10152c66b9b197dec4e9f5fdf8d6c463f7b762866
SHA256090cd6f512a320d492a33af3ec3a511ae5b197622b2a22078d5d9bba18aae738
SHA5121e04e63481c2a98753127ec305bd58cb7d70b44867e3a35f6ff5453784c90d5f98ef874154cadc1279e87d395dffda78e75c19fb5e31dbd9c6593308879c7bcc
-
Filesize
581KB
MD5318815324eaba3d36a887d365e86d5a5
SHA17032e0eb216fca503735712fc13d43bd95b8cbc8
SHA25632daa062ce4119e3d11ab29cd5f5008f1515116355a1ca48fab3605943531fa0
SHA512a8b51098a29e66f71c3f9275a492ac43ce1cc8694ef50ae119b873c0e0a0b5babf8d969e2158ac8391065323b318242748667b71cfede75b55f96d7bdbf51cc1
-
Filesize
581KB
MD5d731f73287852f3b1b1967a6f0126117
SHA16d888fe2f239a4fef5e7d75d7f3e734b2697f918
SHA256ef4c679282b4dcaaf11b4bf98e6d23ddad252e7c39ea11c33c2c0b08c0426ea4
SHA512019e7ad540a62f8da2847bbf1d2e516c036adea4faa1b995bf5aa47c07151ee2bfc6f18b6aeb05cf080d4a296007a6d7813208cbe1ef95c78a4dfc336ce88b0b
-
Filesize
581KB
MD5e76ede6acce131426901db39e1540b39
SHA128e63df032ebee8c0acf4c2765964f04872e1fdc
SHA25680f7b61016d7c6cc0bd2e289a1a6d26d02b9f1dbfdc9ecff17dd5e6f16dc14fe
SHA512d372be120d06e83d2426b92c528151a897a425844921b977cf2eeb5f4a5bf0762f1260d1af47beb0de842c7de97600cf5354cf0a3d7dfd42d78893a6e46789e1
-
Filesize
581KB
MD5f141820564edb7473136745fa65ccd98
SHA19816f4feb6db68aab6415b2427707de2ec387ea8
SHA2565559b2e3552af5e57fe2aab194d299b3fc884f57ca8c41587be5622d6c16fd75
SHA51247a0f511649e8d94d8e9ddbd76d76d3adec0d0a1d998fd5a27b7d9c1a6cab9b1af6e260300fe3f7e6ce2635343110b670c63f727d6fd25e27d19e4c58b052e63
-
Filesize
581KB
MD529ce63353825212501da67fdc70973d9
SHA12da7f348e99d9e4f9c6752e212c0fadcae38e183
SHA25690aea498381b0c6be8db38c6803ab3abb5ab324c283a3e82faf9815531abc68d
SHA51285af36e7c843e09481830af68baa4938e92b8c9a09d128ee9d081a8db1b265f55eeaa3ed25046b8ba10ca0b90d7bce778b893af70ba6dabee6b179f8d7db61eb
-
Filesize
581KB
MD5cf786572dc4c67f372ad8e4ae7c2b8bf
SHA1951daa9c8e28276edf8e3b5b56820fe22aa64df7
SHA256c40f6740726d3c45eec7d042af4564afd8f95fd5ff899894c639a3baa33d92d7
SHA512604677c336f1454cddb0fc900939a980833b4c8ded0301f98c592a139f282a6e86aee1312683e6b5eeb157010c2b7d1ce459e7364d75bc1947b7cdc2ed1b4b2d
-
Filesize
696KB
MD517aa0d625d8f1c3364f7148e9ca92874
SHA15898b2f37162646310e73892e98ac74ceaa0f39d
SHA2568608d0e6f4e09c33578fc70d78cd7ce3c3954a5dea2ab348f18c6a653951a429
SHA51251c37ab9fefb24f7d350a8ef8bd971416cfa728d6e5809b81f01dbc72dd0ea2f89efda29706c9be643d947ff427854f41a4904ab5679962e32794348c2440491
-
Filesize
588KB
MD52d6e27846a826f240b66cb10781fee50
SHA13c3412862b9e63c5fccb86802fb491cbb13d7388
SHA256a9254b5961400aa05e7554e505ed1b23e5ca29f668a60f83774ea2ab04ec6905
SHA512f145cf26d9242d88ad4c8e03c2c2953e56ac405dc176acf143979a3059961eddff8711881cbafada14ef1b0fd84361ead1a8eb2bfb8c5cb575699c22443d4d23
-
Filesize
1.7MB
MD512aa05a6c5959be95a05d7c9abc7ffe4
SHA1a33c1aad650f7ed088be69140278a2b7e97117b5
SHA2568dfa2ee69a655803a7bc0efde101d4c28459c7796257f3815a73ae4e7fb9d745
SHA5126273c428b59c1fe78548d7d22277d5c92531c283785108e3ce414a1932192afa06f8d4dc84efc2ea7501f86dd8edf248f674da1d52e441dc2888c3f5808ba34e
-
Filesize
659KB
MD5a9b5deb82091e3236519720d4dac4dad
SHA15f49d817528688559cd43d93d3b3095ce0da10d6
SHA256c717d7f0884ee362b85e77166fc1914630c32c172d81abfc4012acee17195482
SHA5126b626323f6978c0729b298b10434727d1bffd668d852d31bd6878b051914ea421e6077090862149acd83d79e7c2a7e7a0676ddbd5485cd66b6cc9be67eab421a
-
Filesize
1.2MB
MD55e19609bae29ba5fd3a31f400a17a286
SHA199ee8660bd8efa164156d15cac1a78ce4739df33
SHA256b6252e08fd5653ae13c18f4953059a6a7e950fed7bfe9d2d0cf8252fef2119aa
SHA512360485340232e02df372e56da35a95193595ad00a3af517da668901e97521f3b457a1f6a426d5e573f926f242114a8274f6260cbc913e5a87e187d682b3f6a56
-
Filesize
578KB
MD5d0941bc7cb47276f896ce7bfe9071f01
SHA108c784b370b2d3af7e53444c6b427de62bf18ec4
SHA256a386f82269cc875f5c8fa5e445ddc9a57012647de4debfc8c08b7dfb06a50996
SHA5124432dc8d344e988be3be44796e900de3cea22b2c820e5b2f7b456f4ab789a12f317c32b19d617edbed2646a80b18296772f4f7041d9422f6503c12922d6d2fff
-
Filesize
940KB
MD517cb4815076762885c8d276320e976d1
SHA121830d14b020769589a061e19787e374429e5197
SHA256ee8f67cad1bd58857935dc1090fdc0fb3b58dc21c4cbf099926ea0f24d963606
SHA512616a9a0fdb01bf14ff30b1b1ef34d1eb1335d91298481e3763bb965043f2da6b6570c30878aaf20ac542c0dc65d85918d2db15da3081825f6754d75df068b34e
-
Filesize
671KB
MD55f205ae608e3fb7c09a4925374dde444
SHA1f6fb2e0bf660e0db26a023c5d171806f40a2a6ba
SHA2566592cbd62effbab4af89c1b2b82e6fd5ab85b90464eb5748db8fa74a9ef9417c
SHA512652fd95003791bc464e0cb11d80a3bfc86ebefb3f65924c8acb9c03f785682931cf9bc8644ef12d6cebabb9b66aba91d57691e3e9d6109d7e10934f4d141977e
-
Filesize
1.4MB
MD52d263df1311de655b758fb3c7212f6d4
SHA1ea95d5aa456959c1cc1b52395f07a9ceb719d05b
SHA256367c21e4bbb5cf6b71236b5c7c5adc9301fa235d5e960b86176b6fc0f6d0b8bd
SHA512862f3e245ebe3f24e3b3c54a6cf35153dc1f35303b405f143e3421eaa507559d3098d6f5d64ac49737c3309b11409176a2bc599d8f72255942f4e9dc99b10320
-
Filesize
1.8MB
MD5ac12f517d5493498b03f6bec3efc4c98
SHA14656b8d3c75478911b76b60e6b2f2c9529e5929e
SHA256b2348a5efaf1bdbc61a9e906da996124c1abb2a632418a368cbd6f36f9e38294
SHA512cd9ae9c23c2ffb60487088ab2e3a013575ddbf150628f7f916c19892c6e166a5144882c2a897780a05271a2df748d9c43a1c45f95928db0c47c4a430e5722ea2
-
Filesize
1.4MB
MD50aa3b8e018a6dcb81412dc207a976fc1
SHA1a114507548085371be97a966a2202109ad7667b5
SHA25682b61619e7eb168b71eed28b391965338ee467f0055eb7c01d840c2e0e5f16af
SHA512b4a05bc9e0e263b88b625f2be7a839ceccc20c5697a3e4f3fc62d5d0d35a1b970fa1a062b58114e5a0d3f77207f8aedded758ab6c21f2dad88cc628bce729deb
-
Filesize
885KB
MD528bfbb8442c2c4e27adc35f860316ef0
SHA14e1dbb7a8590f08c20ed8f64ef38adb91999212c
SHA25606515357c89e5c605ee3bc4a836a6d918cdcca2bbc65e7dfc328b7109e1a24a2
SHA5120bb8d513222517ca9962566772bd1b33477e351b4c884b0b5573d2097725f6dafcdb4aa94621ca21c6a49056f68a94c9ca10bee8f4e1586d64270bc6454ea700
-
Filesize
2.0MB
MD53e4f95f2a85cecaa3428b23b8d6e7d26
SHA1c8ef8e98f8be795e01633fbf99c50b7cec540ff3
SHA2569fd82a095daa2f277339c17bcc42fd78ef882866663571b55561346186278fc6
SHA512d8441647bbedd2232b6c4e3b1d32bb10ef673d615582ca3b51fb19a25968545cc932b6d78b90fe27381abd2fe56bc835872123cbac07c938386f02f9e1a1dd61
-
Filesize
661KB
MD54eea324a5c55c057eb2af7902216688f
SHA1fc9b3d2297fa55537e8072a74762d2593289ce97
SHA25683ef28f64dd750fd50821bb9bc5f468afc71b04c4e984b8e70ed35837344597f
SHA512cf1968f3dd1cb8f8d372f9809bac94819205a9927a2224678d18bd6202ee5cc4f9cb6cd7fdaad3693e8597aa7d7c1f3f250f1f4908f4eb5d7e74c0d78fb9dfc4
-
Filesize
712KB
MD5cc1a70b604b32545bf3493413a1a8dcd
SHA1e050623dcf95858c1c1c5bcbb0c1e3b41bc6214e
SHA2560fbcc6927fc9adf6477b037ec90594259151163a8dcd57e529ffb69a50c6ad81
SHA51232f4bedb75dc7418d1feb1fc66a77d87bb6a16f05c2926a6c4e0a330c5a0da1d1fa05c786471ed66bf5d32d7eb02b7e04f1300826b350af08ddcd32353ad812f
-
Filesize
584KB
MD5e46a6acc2e2bf7f61a5f409f5a97f282
SHA1d78eb39a017eb780c2318624203858ae8286188d
SHA256f911255ee7575e6e8f4a58fb5b953e82dcf742c2aa7570b748524dbe1c768c7f
SHA5129ff3fd0b5ca62ea22a28f32aa165499f50c7fc28e13be4b37bfba9c1bdf09fc2fb23c3fd3129f60e3504035c12f2ee548323bdbc79e89f827bbcaa9d010db4be
-
Filesize
1.3MB
MD52e4a87fc27d9a062899d8c4e28d53e12
SHA18c3fab5069c50dc78c182bbfd26095b138ceacc4
SHA256b22f26d16f219b2b099956cfe7a53a54493053198edf4c10ddb25e824b9c111a
SHA5120f6a9fdf317fc19b2537c348a8fa86064e59a9f65967aca472713d25ebb1c43cced3a67c8ebd79b3fc3255419d47be29cb6b321f11ae32455746dbcdd0245ddd
-
Filesize
772KB
MD56b7e496b075c460e0a3f1a3244f79628
SHA11137266dac754fa82243a3920e3402e6fba34ef7
SHA256fe45e5c575c30eac1bc029449a88e29f94e833950e7d1786f1a877aad0850f91
SHA5129c9af0bdb8bf590f7c95776ede2a4a7794b8a02748e4418c1da34f70af2b24d0ddd8bb257c7286536796eb623cfc0dd127063c145722a9cf768b34f169ce8dcd
-
Filesize
2.1MB
MD573b9bdc411a85727ecc3dcc5b5e34f58
SHA124c7aeeebca63d23dd438b78418be2eeb0eddbed
SHA2569442af8c4bcc6d95e5a754f95e72d9f8adde0cfdfbf7647de5086a3787279bf6
SHA512783ab3d6486d47e6c08a35066c6e1c4b08d4a6f4bcb2c3261eaa89fcdbd6b64e18e8d4a91422f400d9bd0984bbcb75412b4d304d908ee88c4f81219e7dc3fed7
-
Filesize
5.6MB
MD545d7219fe5680f585ac837da393abaa7
SHA1d00cfca3b98f7d293977e8d53dadacb35ab9f8fe
SHA2560be7db889d8092274f9391ed116828d8c316fa078eef63e3c25052dc3f785d81
SHA51218d6575b82d6442460d22db5abafa93d0e4bf5d1c1d39fc0f8b94bd45516b04febe3181066ed1e89a0ee52d3c33e5a82492df457130d57227e1c2aced6cfb606