Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:58
Static task
static1
Behavioral task
behavioral1
Sample
bc16b0ca89acc5c553279d7454e120f7ad416a28dc3955c853aa9d7a8e3df41a.exe
Resource
win7-20240221-en
General
-
Target
bc16b0ca89acc5c553279d7454e120f7ad416a28dc3955c853aa9d7a8e3df41a.exe
-
Size
1.3MB
-
MD5
51f2c3afee4b3132faad1d4c79c65bd2
-
SHA1
657625a195862a295cbdbfcdf1dc1bcfa55f14d6
-
SHA256
bc16b0ca89acc5c553279d7454e120f7ad416a28dc3955c853aa9d7a8e3df41a
-
SHA512
5ddff8d37c5057b3eca5bdad4ba6de6564e9cf9d83f47e608f5c387f91ba2da353db772230997d17741d97325bbc23f73ec060994164d44e3044629b9b521317
-
SSDEEP
12288:H09B+VdMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:H09BlSkQ/7Gb8NLEbeZ
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 812 alg.exe 4820 elevation_service.exe 4836 elevation_service.exe 3796 maintenanceservice.exe 4940 OSE.EXE 2216 DiagnosticsHub.StandardCollector.Service.exe 3148 fxssvc.exe 2816 msdtc.exe 884 PerceptionSimulationService.exe 4400 perfhost.exe 4456 locator.exe 3048 SensorDataService.exe 3648 snmptrap.exe 3972 spectrum.exe 1284 ssh-agent.exe 1324 TieringEngineService.exe 2324 AgentService.exe 2920 vds.exe 4600 vssvc.exe 2028 wbengine.exe 3468 WmiApSrv.exe 1948 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
Processes:
bc16b0ca89acc5c553279d7454e120f7ad416a28dc3955c853aa9d7a8e3df41a.exeelevation_service.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\System32\alg.exe bc16b0ca89acc5c553279d7454e120f7ad416a28dc3955c853aa9d7a8e3df41a.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\26f481a7c4fd1e7a.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
elevation_service.exealg.exedescription ioc process File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
Processes:
elevation_service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083a1912d2689da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e60122e2689da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000883dae2d2689da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000066c5d62d2689da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9ef9f2d2689da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004cdcab2d2689da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b03942d2689da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
elevation_service.exepid process 4820 elevation_service.exe 4820 elevation_service.exe 4820 elevation_service.exe 4820 elevation_service.exe 4820 elevation_service.exe 4820 elevation_service.exe 4820 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
bc16b0ca89acc5c553279d7454e120f7ad416a28dc3955c853aa9d7a8e3df41a.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 508 bc16b0ca89acc5c553279d7454e120f7ad416a28dc3955c853aa9d7a8e3df41a.exe Token: SeDebugPrivilege 812 alg.exe Token: SeDebugPrivilege 812 alg.exe Token: SeDebugPrivilege 812 alg.exe Token: SeTakeOwnershipPrivilege 4820 elevation_service.exe Token: SeAuditPrivilege 3148 fxssvc.exe Token: SeRestorePrivilege 1324 TieringEngineService.exe Token: SeManageVolumePrivilege 1324 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2324 AgentService.exe Token: SeBackupPrivilege 4600 vssvc.exe Token: SeRestorePrivilege 4600 vssvc.exe Token: SeAuditPrivilege 4600 vssvc.exe Token: SeBackupPrivilege 2028 wbengine.exe Token: SeRestorePrivilege 2028 wbengine.exe Token: SeSecurityPrivilege 2028 wbengine.exe Token: 33 1948 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1948 SearchIndexer.exe Token: SeDebugPrivilege 4820 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 1948 wrote to memory of 4200 1948 SearchIndexer.exe SearchProtocolHost.exe PID 1948 wrote to memory of 4200 1948 SearchIndexer.exe SearchProtocolHost.exe PID 1948 wrote to memory of 2860 1948 SearchIndexer.exe SearchFilterHost.exe PID 1948 wrote to memory of 2860 1948 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc16b0ca89acc5c553279d7454e120f7ad416a28dc3955c853aa9d7a8e3df41a.exe"C:\Users\Admin\AppData\Local\Temp\bc16b0ca89acc5c553279d7454e120f7ad416a28dc3955c853aa9d7a8e3df41a.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:508
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:812
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4836
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3796
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4940
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2216
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3960
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3148
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2816
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:884
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4400
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4456
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3048
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3648
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3972
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1284
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4896
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2920
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4600
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3468
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4200 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5bf6a9c12d51c71f0e8bfb3acd73ae30f
SHA1a77dafbbfb2a9d04fe502c5d89dc75fd40add030
SHA256fd2ab86016802abaa1addd0b14044df4dae058368bfe1523f3bea52602919d17
SHA512abb8732090f0b315c9232b98c4c0bdcf8bc1be3436012b05cf162faaf469535fd49373a3c82c1cd5a64be6fa5195208562209612c64e23b83cd9cf91c0da25b5
-
Filesize
1.4MB
MD525386b6520a98830fe01c5eff323d5b5
SHA17b3114480a4940a2efc2a0a901fbf94bd5351eb8
SHA256708c2513aefa329c51bbc1416e7d46ba82a00d36b0c284a93148196ecc2816e5
SHA5128b20028a68da1a7a35e765fde9f519595878987daeb9e02b7bb6b39fec210233ad87684fc328f075f6250d70f367558ff0dda39b4b184041310173a1e8395b31
-
Filesize
1.7MB
MD540ce392250ea2efb454a3cbcfe4ef5db
SHA1bc70343bc85d931df1893873f8014194e5293519
SHA2568ac824791c432df0158049fd20ff50d8df48e6e149ce3e6e2d965eaad035f16d
SHA5120159b15a3c8bfe8eb6d20ebcaebb5fa406b78fadae506cefd4fc5c652e9d1220e68351c056256a4301b630e25e4a132c2cc6be59a3efdb363e793cc42efc6b03
-
Filesize
1.5MB
MD5b387be0020f46c23af359d028c6b1794
SHA11b8f3d6c3c56b4ce66e2b4e8bd385647042999df
SHA256f86a8c82723f672961204684fe6c6a08b191f646e35eb81d9f987c0029761a2d
SHA51285fc12925db5f6a68625aad92c233b52f17734eca4417567760d061743d63370c72cdcffd3058c34a73093bf3081c34e1d2652006a0d482d2ca47a67d07783f7
-
Filesize
1.2MB
MD579b89b551a32be6f3203734508b66054
SHA173b0122738f5b016816ffc00b268e8525476e1c2
SHA256f6a08689785c38e9e901d53d680d03441c713307eaca0ef583808a288f2eb4ef
SHA512e0a8073e772671dbe1d4aa0ecc3b2a73f3b476b0b239d907878dad8aaf3ca40689f001dfcbb2baec476a3ad41e1052c90a8d60da34d9b9ab5341336e51333b9a
-
Filesize
1.2MB
MD5300e250e5b6898b1559af870f650d8a8
SHA1f5c44eed6e5648f796778a4de9657c20d5a7e73c
SHA256c362fbda1b4ddb58f531e77a1cf739bb54bfb1d4a780597359beaf3994a6321b
SHA51265b8f5ffe37bad6d52b7f479b6cfdbd6090045a1560a5c1b1ae53f82d505d48e3c527c3f88862199fed2ba611060c4a067a12df6e47083adfe6923d9977833e8
-
Filesize
1.4MB
MD57350815c54061ec89eecf793b4723d57
SHA17f9b4d4f36f22c89899c64296bee47d26b6f8dd9
SHA25696c616812b3a96fdb6ff661d00ce0394cb5276c3e69f5ce984796c42171905d2
SHA512bc457ca05b4bafb9c3a2ab25866fbe0b7c2a061c97d3010f01fcaf250c9ea9d64ff07902146f67b2b0c7c187e8754a03a0ac8836e6342ce639c694a3f7966be3
-
Filesize
4.6MB
MD57844db66c93c91c0bd77c57a83407581
SHA172a64b8f1532f9f7aaac3a8e812ff2fe4c926bd3
SHA256c64c806ad6db5710db59553ea48ff41eb1ef13942ac6c89e25f5d679c1fa6e34
SHA51200b932c94bd8c40b1c8bde631a5d0912d787f99a08f8786ee140c31091073fc7e35fbc0f08aeb49b4b09f80afc37b841d76bf64a63f9210b9775514aa2087917
-
Filesize
1.5MB
MD5501e46665d1f71367a52da02cd2ce905
SHA16812b3da348f98c9a625b174e6d037f93e0e263d
SHA256803fcfd6be92e6f06c80362542ba06ffed7be999e7f545655b5a6816ba288e83
SHA512d8ece60c11565726dc243271004d762c092eeab6ea312bb51e645b3405f79c8fb536ca5134501376c7c4c94bb4158e5eea4606fae88a4b49490bdee5b864d8d8
-
Filesize
24.0MB
MD5b01c8b519bd268161b593927d9439b8a
SHA158097ebfa64f09c04ed5efb1747599da855a07f3
SHA25600806a04a38d5716be8c2db268a4ddf81f5784231d159ed0ef8e3ddb5613a794
SHA512b9b129c8336b4df8c9b17877d68f1f32fa1468fe55e96243dcd1da1c1be84db5d6848fc7fd012c453239f63684b9c5d923438c115fb616fb8bf1e5ea24923e10
-
Filesize
2.7MB
MD52b64b3314191d87d6364f9423940a448
SHA1da3a473cad64c423b0dad95a44ed64af7f022dda
SHA2567143cd60643d8dfedcb285ea63f8408d5ee0efbd92a07278b74d96838f802654
SHA51256272fd26c8fd5dad575ac1ff85e3e9d3c0e69d1a5ea94706a186ba76504c6230cb5f47e2cbd12bd4b238b4343dfe06dee1d5489c114f227bd610e2eca792415
-
Filesize
1.1MB
MD5caf70e45a72ffa063aae48238958025c
SHA1cc7035dbd4388e82644568047156087b567e77b4
SHA25638ce6b4522dac9b7983da66fdc8baab1ab02a3be22b89c1967fb93613faa11c1
SHA51249d44ef1249ec93c489db72cfd802dca9df3eb43b6440771ed7c69e80c9071c9945ea8787121ff35c7b73eab00d128efc60aa0161694bf27c2fb96e3d33c0a30
-
Filesize
1.4MB
MD5a163718eaeddc3ceda77687ffc1cf75b
SHA18b54c6af891910637e52b3511e836f4aa643484f
SHA25696fa85126ba0499cecba9bf42d9c8174f5bb91e5d8c96c72d48bfe96cbf47e64
SHA5124776d55480ce4ce6f772e25e3e82f84f17b30e9973f7532b6cc62634ffb72d328efebbf8b1b696be5b9ace975b71147cb921976783238ba8196d02686377f70d
-
Filesize
1.2MB
MD51f79a969b4951ac9eaec7889e2d4d60d
SHA1a3d747a5283209059a2a1d98f6452d384d9b5125
SHA256adb4f1c708d29376224cb5cfe3e0fc33fbb0266b30075190fa5b1d62e84030e0
SHA512e5baae297ed0aedc92b514f0fc2f276d39994795ce02f05443007af695fcd9c753e1b3007a9166c4b3db986c5ae85fac4e40455af165c0f1d42b7eda1406610b
-
Filesize
4.8MB
MD59a3a08ecf5f94cbd7fdb9a5f1c085242
SHA1a7d04308ce32608ccac93d50b07a0b8a8b9513ab
SHA256ead90c7eda4d7eb1413eb6b1533594c429b478ca95bc24de83f4246ac8e5dde2
SHA512b0f3a814aadff8688a92a938e279198a64c1832198e609c78f8430581d2c21c12c53fbbdddf58ce4d55abd0b45413d49ef23b761c3ff1aa31bfa455aeb36a458
-
Filesize
4.8MB
MD5bf1cce006f5dcb1d4260f0b519f9dd6e
SHA1d8bbbefbbf91df1e31e8da0052929a36237cb77d
SHA2564e2838564704e991212b9223a66a50a9fda825716dcb10b1c3e18cd7bc39452e
SHA5128f9b12b986e89b39c9e272117292f5ca31a7528e106bc0775ec554565008f5c9f6d69dc478d3a139e4098a633115402ab21777aa16c3046ca4ec754eb80f8799
-
Filesize
2.2MB
MD5c58bcb542a3be97fe7dc9e1ce3c7441b
SHA15ab88772a2966e3ec1b284622c8ef38b1e8b81de
SHA25666f9dc885b1af27c9119ba9dfce55415a893c0d66753972f82271d9a73fa56ec
SHA51218193656a3efe83413ba466f61ef0413d80f7588e698c4b519b39f41a291379bf16a1a64e1e42fa4b87678d7cbe23a31ad5be39a7e1adacae72e848362eb0776
-
Filesize
2.1MB
MD589acce390fe442767c282ca183147f44
SHA11d091da70e9fa66089c0cb3a07044e2afae12872
SHA2561b47e607c8f631c6288468e6b636b6a8816c42975b9e8e3df20fd9244dfe1f8d
SHA51201e8500c183ac6eab73c8720914745ba37ebf449cdfb245bf49b08a011587174f10766bedb3db635cb825c03f8baae123946c508198d685aecf156a438a0ac17
-
Filesize
1.8MB
MD5a429e4a7869e5eae77f9149d2285a43a
SHA1df202f01e987c58647b7ab0c8d0f16a22ba5b8c7
SHA256bfc58586ff3112f2c56390cd771eb7544e1ae3836b3662a882363ea5824a6501
SHA512516cd961a101e96d244d1f1ac3d52405cdedb24d7883e9d6ee2424ead43dfa8c1e5b9e0c6757fa2590bfc4b557d29e58744f19c64eeff4deb403b566a07ef07d
-
Filesize
1.5MB
MD5c8f44b2ce0c0327f2ff440bccd0efea7
SHA17c0dc02828f2282eacfde92f23c0b8109b6c7383
SHA2565133dc1ca16d670b98737da37e08e9d6306f90280756e0d72c20a29aeb75e501
SHA512ed4dca78989326a77c3ee173de4fc2961577a0ecbd9eb4075df615aa77618adee86a8aaecdbb356c77bee3c79774feb4babb059a40045f1552c4026800a110a0
-
Filesize
1.2MB
MD56781df7299f5e9f0c0f676d875e0482c
SHA10e1418d377bcb34669eea46ddd9f08c959d36945
SHA256aadbb175c327ed333877ce11e2776cfc89180f818a44b88804f0d9b54a6e6fe0
SHA512ab4dfa78fcacde6ac6846da4504054d2e911e152ab8842fad56592edfc862f79640faf8d312a548d17d4aa81680bb64e648765b988fa34c16d7a0aacad39a8d8
-
Filesize
1.2MB
MD53e20e1cd17d78a42166fe36f4077b82a
SHA100cc2eeaa11f171068e3f403e2dd0877131ffd48
SHA256a1a882dbd013b8f4d9c0db119a4effb0d0a523657cb2543a7c1c6da0547dfa51
SHA512d3a8be5364be4d4a2d3105f5cc7472b6f66edde784302253e188fc12b749e3f1b149943d4b26489de1c1413f19cf83b2fd4a58e337432ba4f89d5a7899ae92e8
-
Filesize
1.2MB
MD501a7f60924b0fb616a3ef11c5e6b041f
SHA1d197b1a4a97e9ddb5825182a385176a55d7b01f3
SHA25611f0d8a545e833cb978f7e7915995fe40ac95d13670d14f6a854a74a0816912a
SHA51229990ec87fd9b24150b7527c631fb25bb0ed5f67bb544a8713adde3d1c31dd13331608723111f39a6f972e5dfb85908b9ee55b951141d982d8bed24afb908f2f
-
Filesize
1.2MB
MD5349595e6ce0e1cf071079347df1d0b31
SHA1c85cb2634f70367ae03d8059fd64a53da7664ce5
SHA256f806713b8f6e9000761fee3f0770897718197d8b70bff6d9e7a869d01d418fd5
SHA512a34e8c4ca46d7e94786fdb625a4224a017cc8c81d401141be6a98397ae5a9e8cba5b7585947b1a94866f441f04340370c1e34598118dfc1bf93f464416e0e4cd
-
Filesize
1.2MB
MD513dcc120684ca066905d4509f9f0b806
SHA1df7297bd63f9c252294f69991c084f170bc33c4d
SHA256758afdd5f78e67f5792d6edec546f9ab94cbdb4fb4c13ca615aa9c94fc5ed1fa
SHA51259d43ad8c8d316c2bbd4ef2f7465553b3e23af6eb70f18e58345db92bcc427a46dcbd7ee29a339ed30a2b9fe01235eee18f054c9842e672868db2fa0eb119016
-
Filesize
1.2MB
MD54f8ecca2b41b1c9d9836d934661850da
SHA1118f8a3b123dc4b80a21ed00c7d896e53a4ac872
SHA256bbd9185b681091b83eb64197781250c015adeae4080c8ba2b82f777896fec5ee
SHA5123e9ac817af6c92157c277af58d4c9352836488f487066edc3d68bb85c7b65a390d7c3cd4cb9a4ffbf59c590ac6bf9e8530ff2ff959cd6b18a2915ec3aa8788b6
-
Filesize
1.2MB
MD53fff644695a5da38f0f4ec9c697070be
SHA1dad0ce65d621eb805458cb4b63112ce8f5a4e987
SHA256f4db2b120234b244abc9c01c156ab1056171b7836f1dc293602b192dd2467b95
SHA5126b37d7e2c11aa55a1eeee3593ab467f3742efacb5d400fb5c7f66a9552ac8758c73744bc51d57cae718ca8261cc5d23c8b78f64489287d396be03dcffcc349dd
-
Filesize
1.4MB
MD5ed2ddbaedca0ddab55764418cfb2cd5f
SHA1e899aaa5b46528c1d8a4258d03878c88a17c7fbf
SHA256e8e31c3310f70842f2b75f74da1315e5343c5eca023565bc58ac351ca1b4e5a3
SHA512020abe7c2f19ff3ef69476187b725182f56ada8e2dcbf00210fb69600ee4aa5bb271a6dafcc7e3ecad896f24cc683cbfc963650d07dabb445b0526f3a04aec5c
-
Filesize
1.2MB
MD54feb760374a3bf42ac5f70ea255cb1b1
SHA147e3fe9480eb94ba90b820ba47fabf3e0cdbf3ad
SHA256e34bfb6e048c70056af2cacefaade24c9dc762ae853342b1f2362fe09bdc22a5
SHA512224591c10bc8f5faaa6f6a7c416ea9b8648116498fa557fd2eb491f226c1f1d2add15062a549c7acc3e04ef1ab729d91cdd38a4d32ad593888f81db7b9bcf835
-
Filesize
1.2MB
MD511ad9f34fc78c5d7cf52313898d4fc60
SHA1afd85e5a6f16ba4af7d53e940c88090476f9f924
SHA256c8fbd5b4f07dc60bea5f963b5d8c814263f7949540f1fdf96ff2032511015916
SHA5127bea93bb869f79d4a83bc3b9daddac4a3e500fa49072527fa70da18550b73d661907533e784a6e4c6de9f82ab5626630f844fd7b822f0ede5ba97b15a97ef756
-
Filesize
1.3MB
MD562d370668cb3aedb6f4426989e8bde09
SHA1257f7ab3aea19dbdb4f866fa56b0f9aebe8e62f2
SHA25670f2790ab5044fa8d6f435ebda0d3e40522136deb00c3d59ea30776970441d88
SHA512e7a84f727a1a42c0d26f935ed30eda2a0596d31370015c06f5465b54756f947ea9ad4dd7dcf0ed9f369ccdb3439bb4f25e325fc80327513de23431d9eb314dbd
-
Filesize
1.2MB
MD5758ad78a012614fd858e988b36e3d267
SHA1df503920c150063ed7df97621f8cb5d59ea7f5d6
SHA256d9618eb02f523e40f396b08dbcc27619ad3c4fe0f350b65047995b0563e8113a
SHA51273e3fd43b5fa2e1306cfcb04838a0b64018201bf1c25060ff708fe87bf75c88cc15e068c3642d131c2e59d143e493932c4e9a48371ed6618144ea0ac80df97a5
-
Filesize
1.2MB
MD5ed5e56dcbe780499529e3db4b7c218b8
SHA10aa8612c38fd60f1cb47eec2ec216203ec90658d
SHA2565932642ce5ab3737b3a29d0e0141a970f4005d3c61aaed6828694563c572e9ec
SHA5122da05706d2ac85d38f6fef13c1ecaaa6de2562c540dc49c13bbee205afa7988ef2d1c6819702dcfe4d4967d582e0dfcabc7ddcf25255ca21b6497887c10a422b
-
Filesize
1.3MB
MD54cf79bc4d28ad45c71a2c511a69bf9cf
SHA1f21511c3b64d7fc2311f964545d26613d8e8fbbb
SHA256eb7b9c201d4c1d0c4b2c53ae47aff4821362777defb04d6a68304da0a5bdbfe2
SHA512e60da5503902055ff833e1fdd3dbd108c6a77497094961f7c7117955a59dfd7a296d5c2bafc2f5cdaf8b1f821a04803f5b90480964f72ebf17fe213dc1b9526c
-
Filesize
1.4MB
MD53aead80d2bbc4d5decc86112e744c552
SHA1310676eec5f2f079a2e50fd1299d5b6b6a9bdf53
SHA2566a236bbaf2e49fb6ccc9e31728416686b3ad25cfd5a9ba7e8db65b410bf3053c
SHA51254401da669a451f68bf988a0984519dcd2e214b823da14dd3ef65d27d8b5ffad1140b6b7c63ad41198d95b2ece82c31fe4f571ebc41a9cdcd585c8e055295b7d
-
Filesize
1.6MB
MD58a0184373cda4201fe8c5bfbe1e15d10
SHA1cca896b6601bbf81d63c4c0bb2b583484ad4a4c2
SHA2569efdc618cdf06f044ef4ce35f717a2f38550479da3399971e7f0cd6b45128ad1
SHA512262213a3b17970626fad7983b54c7f5e55f37d9b96cca8bab6d1792a4b7621c9cd036b579a1e002984e64471a670e672606cd362db97b89ce8e6fe6c661b8ed9
-
Filesize
1.2MB
MD5c9d5924231d25119e3f952a834a51809
SHA18b254994f175553f71a7bffc1672d303ce7d1bb1
SHA256519059b644223f03896c8cf6d1da001973c74f7f0c74c0fa4a8006d8d58da957
SHA512f11790287669d41e09b9604eac00c85b4eb2ebb5f4889b792ed7ebc363b67514634713e20bec6fa4fb5643ef0c209e3e47184d02dd378bb666af7846dd40401f
-
Filesize
1.2MB
MD56fa8656aba1c77504e1055e8ca3bf432
SHA169c03b1777dc6818d38eea0937256d3df0b8a060
SHA2561186f0e2e90d98a509cf40f977c860e147fd8e9658170d7dc9df218474546e0c
SHA5121c824e725a7e87ab30e44414c6cf6d61761526b7a20896a8a954c2e5863edec2256f9e75293df50e8ef8f538943d419197c09e3e3489c52d60a610b690dbf059
-
Filesize
1.2MB
MD530cf69159844f1ed07c10b19f757f43d
SHA1ea88fbda0d54e296a0695ee27df704e22910c3db
SHA25600b361f335af288c0345872aab758c11a9a0f1d78bcf16793b83aed7fd5c052a
SHA5124bd075504ff588563bdccff8b3c4afca004a73e934b9dd053bcb39f697365b1ee259c8710a859193a54bc0c16f681fb72a7af0df7c79a37184b917d4477a154d
-
Filesize
1.2MB
MD510e44f057692454887ada2beb1ac3a99
SHA1e14b74e970f71064fcd56e62a96c02653156f2e2
SHA256986cf61388c4ed2455e9da5f305791b581aa7369972ea3300f968357a2dbf6bf
SHA512a246eb67115ea50a7ea621e6795f6b7dd648d2f77046d12204cd945fa9031bda6cbf9d2cc5141ac2f4427518c08fbcbf64df720f1130c6a7b15da2cb4c0df7d1
-
Filesize
1.2MB
MD521e602215993592cb272ed74407316fa
SHA14866207282ddc7543d7f42b997948813f8f8b537
SHA256a121ad3be481d889dcb5f64759c1016742aefccdbec4cbc2126b72d360a3fcf4
SHA512ed607f92db63767a8cb3043c9c57f4bca8d6db01393b9397b7bada4280889f2de918f4e46e3f4e63606a8a1694fd61916005dc6053c12b53a0d34752da863656
-
Filesize
1.2MB
MD5dc78f5fdc60c3d43dcc99f4d53f82479
SHA134932c47a9d02c2b8d4947b8fea0dae18f43940f
SHA256348c96e45f78410fc1ecf4c5f8cf01fcd0fff81fa3425b88cc0433edd7a167b9
SHA5129cd36bc1aefcb062703cd0c392e215d7d5235573426accdd78eea3aae0c88fbba9d3991932d9fa2eb40d8168d06f112d6e664e2da0309a877c65912b0307366a
-
Filesize
1.3MB
MD5ca5462a43702688f12fd162d5913a14e
SHA132568fccb5c1a4dc6060320e46dc86a1d0835ba9
SHA2561487e0dee2de2604c2935658f234090f899d27bf632bd664d012d5836697c935
SHA512babb6b0b5c71723ac2cad960ac89125eb6f69080b6e64bfcab9e5866ddab854361201642429c9c93788970ad0a9a9b3a61ea15028d3984b895768f08abd303e1
-
Filesize
1.2MB
MD5120460d152ed832ee9e9f9cb1f5f4624
SHA1f9c6bce4aab67eeacc83c62834adaf0185c1ecd4
SHA2565610fa00c8ff29100fe103e170e8e4d2a58a330faa64c7356fe7bb47f9bfb9ee
SHA512d508fdf7f541a49d98193ae444143ab756c37417efc94072b8851d27c22aedbefa824d04132cd140bc187d3387a9d741ae385bc3e968221091ffecaa2ec52d05
-
Filesize
1.7MB
MD5eee3bc60daec7941d0b6c547cc7ac082
SHA1bc79b767dfa2d5201c7fd0a22cb084003a6e9c77
SHA256b71186f24823cf74201f7f793640decd8158ba7c8c47ad2c1b0c9632c1491478
SHA5124f6ab31b6a8f42cc457c69c314c3a12700c8a548e6a6d018a00e90201248aa03c5c07cbd83a4b56571914dcaa42bbdcee5557a79cd96cc885a34a6c25c59e334
-
Filesize
1.2MB
MD565a5a2a78be635f6dd82176ff65d1518
SHA125c6a63ad2176cc82a4f323d8caacfea4e6fa6b3
SHA256bb826356936769eb5a01d53a116083a246c07250dc0c5b31b21f4214194c343f
SHA512ed1822cf76567504bc86d50a5d164d20ead86e22f46817e1c5f5e6e172df73b8bd2c59a655991c6eccb5a6fbecc7f5512a165c95ff152f61b01bf9179c95338c
-
Filesize
1.2MB
MD5b65570b165c8b668b021dc8dd5bc901a
SHA18b354d2da59e36f0bab403a14dd5022c318fb95a
SHA256a82df5e7872990b6cc811afc6ab3274598f72c980a2a3698a9b6b4cd18331165
SHA512d4aa2adf296f5f7b85c59ab0cb9a2dcb11a5c66e0c357f3534166a295c12ee17965c8a5d6cd82330fdc4c3e168a3cb6639bb9c251761206392be407d79146461
-
Filesize
1.2MB
MD5846cd4546d186a548d2a4d754d2b186e
SHA103a181676614fca333a2c110372eb29717a8b90c
SHA2568dde14c5396d67d8e0419b97c2c39a253cbc17287165f97253897ba6151a5b8c
SHA512ae1091453b0bd9bdf181bc181c72d6ce6bede49ba318949db0116b23ee51faf5a5fb3c4a4682d24788184d49d06f456f3dcbae5389f609baa88d2b74e96d793a
-
Filesize
1.5MB
MD54ade8aea1a848af5cd05e12a8452c5f2
SHA1d388c8b99838e61db7359fc7db377907903dbf33
SHA256ba87d0f5ece51b24df6025c9c483005ef8c55a60ab16632105c5385540efaf55
SHA51292ec9b67ea96ec35b9e51a0d931d9735f7efe9474ea22b478d4764192a9f29fc8c8ac9609520c877dec97508006ff9212adf3ceaf1c096d60de37285818a7c71
-
Filesize
1.2MB
MD53bf5c128ea382f49b1796af0d35ab31e
SHA1105630d09530e2137dc7f8e4d6d2ecbaf74bc436
SHA2567caf3a63dcfdcca50ee370cf0766e79c64475fe51094911966dbf0d981637def
SHA512592d168a43e4ce4f226123bee01ee73be15c3f1fe50fc220ade35ce547f1a43eacedad909fde1f3b6bdc1e887ac76aee1f769ae23a22fe18ff2375efd06f2fce
-
Filesize
1.4MB
MD5904412f6941fa252bdff156d39cf8a88
SHA1593ea375007833507917e75aff7ae8c989d14738
SHA256d4a4aef390f3ff442532d4a89bf38db74b2d135cabafa6583d4c8e6bb3032563
SHA51242f2659873a507e4f3694a801d91cef4557d25f87e17da01ec77d3b9c0cee7305f0debc82c2061c01b864383485b59c9b244fd8eacfddea0d535700b28bf3a91
-
Filesize
1.8MB
MD5dd8aab3c828476096f55f15de5a8685b
SHA1e0fd5bc5934d36ebf5b9c755960be60ea9036828
SHA256462c69f7501e79e38927e1a41902884687b2b0946f99c64d6492961300b5ecd0
SHA512e754bc2c45f018901d5b90f2823b9d54f17834312f974546ba1df02983c1d1a777015cfa0b8ab344603e604b85c817a8c3dd958b37dc18bdb961393b5228a7b1
-
Filesize
1.4MB
MD50b36354a35c59ead01864a7c0d79bcf0
SHA17125b275d28ca001570a3b722a68eccfcf67ec56
SHA2567e0454456785994019f0c30f5e07fcfdab4db6ab2137a2a5f20f7857cc04616a
SHA51200c80685fa9c3f5bf04b697dd630446989092bcba123dc7e3fd8850433c654390c5b384b81b4ac4cb4f34e035bf12f09347acba1dae93ca55388ebc5e7bc8237
-
Filesize
1.5MB
MD50a42178544f5d1567b5745511e853c41
SHA1f5ebb88e5c2dbc83a4ee964bba75d8c279ccbbbb
SHA256dd0dbe34e8cb7770ce2d9b592c2074684fc2cc22ba8f258c7f4582860a5f25ed
SHA512e03e0f939582c04153c3d0cc28b22c9ff08e5e8590347b6a8366d290cf4abe533d8eed629fae98034f0795c65bd7d17661738ca8dca6f540ee08e6521b9b3595
-
Filesize
2.0MB
MD54437a9991eca7b45bda86d69d8c3a03e
SHA11ab910693ff0fca089dbfdb5906f6ae12a295b62
SHA256bbb7715a000177cfd666edbf62acb17f7306151c403112103c7706b91c6af19f
SHA512fb543d62f058b8db7925324938919cf072fcaf72a3ed4dfc747653bf440b06a0cf42a4575ae6d11699af4470bbfba05c7833bef72c767bd33b77c1a3e94d8add
-
Filesize
1.2MB
MD59532ece73c995ecfd211a7e4866b1cd9
SHA103d0c2d5dc7a05f97ead1276a008c246b633be7d
SHA256a7ec3642b037508903d2b24c1b96ff653864107f9086711d3c3279aee7ffc16e
SHA512fe999fe4d82eb3ddf1db1644c88d4450d3cdfd711776142f66446d33666be5e3492f19306e1986b361f0274d47d6fad4dcd0998eeb9d1b185befb9b6946fd754
-
Filesize
1.3MB
MD583b5e7280b2dde55db8899373a2c3cc6
SHA18ff6d82d3357586f551e285d1dc0e2fdd6ab2b78
SHA2569a0f604849606ac88b0f82257434595300a3e04779efbf32b635ae62eeccbd55
SHA512cab225af66e1b6a62658346e3d7c60e0f4a5fba9376c6e983c96b1a12390b49006d160c2a4d7f8ba1e8fbc12f1a904b26a6063b256ab1d9c28d5ab29583d1ff8
-
Filesize
1.2MB
MD553b6b40107e0f5e7dc824edb3a82d3cc
SHA19cae67be58e513ce05a5ea6252d7446d95739ced
SHA256631c76d1c92b9bcdbbcbe16e870baa2cc3efde2a387a0576d6ed37b933988d9e
SHA5127c28be1bc1d580e12dca9b28608cc0d5f629d4f58bb48b9620b3d61ebcb803575494a784281b95dd1fee908c8193ba854569374938f64bb70d6c2d8a1a4a6fb1
-
Filesize
1.3MB
MD573b9846290b40c7eb4b717fc24e7475c
SHA11432c17ec9b1aa532a80733fcc3ae719d4846d4b
SHA2564d68a71bd8a58bbb6498fec7f26ccce15e54cecef02b7ee13b7a2ebc42440d85
SHA51249c0e20d099b04b1c1bb7dcb6f1d95c2d5b441da79e15bdc2015e94c023d19badadb6ec1aa09ff990fc10c73c9e0a1b923b92c586533849d1598f486cdb473b8
-
Filesize
1.3MB
MD54d3e855db9f072d5e4f04cf7e21fdc65
SHA136e96621b2cc28e36358ae76c93de5cea513a2a0
SHA256da082711cdeac0f083a8d1193abe381959a29e72e087e0950720dbddadb17b40
SHA5121e91abee0e94f24e608a960148e589454351109d2e071350d55bdb64987ab0c5e30074a2190ff77a03ee757e26048a77be1aa68b8593ae725c850f31903ae6b9
-
Filesize
2.1MB
MD59dce8914e0b4b3a100a38400201e8e7b
SHA19d4db003bbd9982e25d9e3d209f937afafc7f293
SHA2561880d8989df3555e3c5f1527cf379509f2995921373f844cf3347727ad96a98c
SHA512bd11d09092687126221a3d94e50a1210e7c3f26c6f9e9fcce7e8c6751f428cdb6ff8a929e23efc8ebea2f8bdaff32eafa7c30b82af017b6db6a3b1b60c33279f
-
Filesize
5.6MB
MD58aa2cf0362ecd859923921c3d16f1978
SHA142251b7ca0b04672a71abe570df5bb8d9015102d
SHA256e05351da353edb630f66449e9281df57cf7a600c79b4284e76018e24bf9008dd
SHA51245660ee4322ee291606033d09b9e60b4b3b3386096402bb02febf31b83cdeae57fedc2fb97592de16c2c25197a3054026a803e8761f765ccf0bb28ca23ef11b4