Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:58
Static task
static1
Behavioral task
behavioral1
Sample
fc30de5f041264e2cf1740a3e139ad6c3d3def0b473588a7d8a81d5752da268c.exe
Resource
win7-20240221-en
General
-
Target
fc30de5f041264e2cf1740a3e139ad6c3d3def0b473588a7d8a81d5752da268c.exe
-
Size
716KB
-
MD5
445cb6fad5b6372e3f5155bdaadf281b
-
SHA1
c5cdf0ce67cb25619c541e15f93ba32a4e693ef8
-
SHA256
fc30de5f041264e2cf1740a3e139ad6c3d3def0b473588a7d8a81d5752da268c
-
SHA512
a0fc0d870ca3aa27fb558db0790e54dd07e82f2875320597465847ca840cd0d8ea0236845e144a9127e7e5871305607471798ee2f8c987a0c32481fb963bc551
-
SSDEEP
12288:U3P/aK2vB+LgeKznl5TXJR0j3p2pVUrrQuLoWTF23JVbd0UILzXSocmKdYNq6:U/CKAB+7ozX0j52pMkuLoiSJVlIL29m7
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 4372 alg.exe 2660 elevation_service.exe 4456 elevation_service.exe 1612 maintenanceservice.exe 3860 OSE.EXE 1040 DiagnosticsHub.StandardCollector.Service.exe 2180 fxssvc.exe 3040 msdtc.exe 1108 PerceptionSimulationService.exe 5116 perfhost.exe 1420 locator.exe 2292 SensorDataService.exe 3224 snmptrap.exe 4624 spectrum.exe 4724 ssh-agent.exe 5096 TieringEngineService.exe 1272 AgentService.exe 4808 vds.exe 3296 vssvc.exe 3496 wbengine.exe 3724 WmiApSrv.exe 4576 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
Processes:
elevation_service.exefc30de5f041264e2cf1740a3e139ad6c3d3def0b473588a7d8a81d5752da268c.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe fc30de5f041264e2cf1740a3e139ad6c3d3def0b473588a7d8a81d5752da268c.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\7dc007518642d83.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
elevation_service.exealg.exemaintenanceservice.exedescription ioc process File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_120515\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe -
Drops file in Windows directory 2 IoCs
Processes:
elevation_service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf8c2f452689da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000460a6f462689da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096131a3d2689da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d99fe53c2689da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003fc9cd3c2689da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f8c103d2689da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
elevation_service.exepid process 2660 elevation_service.exe 2660 elevation_service.exe 2660 elevation_service.exe 2660 elevation_service.exe 2660 elevation_service.exe 2660 elevation_service.exe 2660 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 676 676 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
fc30de5f041264e2cf1740a3e139ad6c3d3def0b473588a7d8a81d5752da268c.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 4124 fc30de5f041264e2cf1740a3e139ad6c3d3def0b473588a7d8a81d5752da268c.exe Token: SeDebugPrivilege 4372 alg.exe Token: SeDebugPrivilege 4372 alg.exe Token: SeDebugPrivilege 4372 alg.exe Token: SeTakeOwnershipPrivilege 2660 elevation_service.exe Token: SeAuditPrivilege 2180 fxssvc.exe Token: SeRestorePrivilege 5096 TieringEngineService.exe Token: SeManageVolumePrivilege 5096 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1272 AgentService.exe Token: SeBackupPrivilege 3296 vssvc.exe Token: SeRestorePrivilege 3296 vssvc.exe Token: SeAuditPrivilege 3296 vssvc.exe Token: SeBackupPrivilege 3496 wbengine.exe Token: SeRestorePrivilege 3496 wbengine.exe Token: SeSecurityPrivilege 3496 wbengine.exe Token: 33 4576 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4576 SearchIndexer.exe Token: SeDebugPrivilege 2660 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 4576 wrote to memory of 112 4576 SearchIndexer.exe SearchProtocolHost.exe PID 4576 wrote to memory of 112 4576 SearchIndexer.exe SearchProtocolHost.exe PID 4576 wrote to memory of 2708 4576 SearchIndexer.exe SearchFilterHost.exe PID 4576 wrote to memory of 2708 4576 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc30de5f041264e2cf1740a3e139ad6c3d3def0b473588a7d8a81d5752da268c.exe"C:\Users\Admin\AppData\Local\Temp\fc30de5f041264e2cf1740a3e139ad6c3d3def0b473588a7d8a81d5752da268c.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4124
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4456
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1612
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2260,i,9938964625802268469,1928462186077019554,262144 --variations-seed-version /prefetch:81⤵PID:4084
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1040
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1368
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3040
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1108
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:5116
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1420
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2292
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3224
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4624
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4724
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2052
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5096
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4808
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3296
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3496
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3724
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:112 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
- Modifies data under HKEY_USERS
PID:2708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD55e5d1030593cb94f2b569bc4397539f4
SHA12605864358b27f8b6e35bd0260e5030f13c55f4e
SHA256589e8181577e9fb7c7f1062b1a48cf0a692ffd360e1dae7b2d2722ad75b31490
SHA512750e742b5f6536ad00251c3b2f3a9defc0433310eb0742e798d383b04c433660090bc66f0f278ba62af6b977ff5bf3ce71674b9d2eb218d74378f209a7dd1afd
-
Filesize
781KB
MD5a3847cf1b9fca63fb0cd0b56c7902b53
SHA15af980b8e49da2f81614d9fa72aa637509bf9403
SHA256bfabcf189972d988b4a7983fa74adb7ea6d91a1717a5cbfa7af896a16967f183
SHA5126d2644a86860213ed3a829d526c913e48873f8510c3820a148f8f7b4e4e5fc9f5d2bbcf37150673fc55cb92abddbed8a9e493c1a5009033afe3d049a9a84f212
-
Filesize
1.1MB
MD5b23189892b19c470bd0a0b541283a5ea
SHA1791a2b56c8f72b57664ba2fbdf5fd001c6e70542
SHA2569b266bd4d030e435a00e560da7b6ce3ee0df768412d1e4e6c9fdfee8362426ed
SHA5129b74cef1c0f91a5ea43dbb68ebb91cf2b72de87c3c33d07da6682225a1ea48769e301b75167dcad82b006001707743352b20fc91c375ed1811a969b452007fc0
-
Filesize
1.5MB
MD537d3e6d1c5ae218a907e4d83c792692b
SHA19db4161e4831e24b11eadc4e9846d95ab5f44a45
SHA256cd0a101fb0310fce0998307329abb8a4bc45c30aaaefeee2704f7c19db055aa5
SHA512bd6411781cb2642aadddefda69c573c508c1d567251122a1436585d865b6e68a526416374fc4a83965607a88ef8f5c88d63690dde6eae1cca5f840668f637aea
-
Filesize
1.2MB
MD58c31acdd8e1810f0365831917d0fe55a
SHA1ec3bf39a82c6cb38664a7707bc9eb5ddd925cf55
SHA2560e085d21fd8d5e072499b18b475c2890dad974ab8a30ca6af7d675dfcd0f0c16
SHA51223b8f2acadd96788ff77ee05d891fb6b09acaf4aa2818cbbbadd7ca01bed69df1a8b27823c01454e13c94bee903f5cc1fc324d6129fa5052eea2aa5a1df5e76e
-
Filesize
582KB
MD53df448a8dd1b021d4cf95afe2dd00317
SHA17c4a5539da755160a4af489e1e6988344f98acc3
SHA256d708cc78e03859c171de548323f37423e6de53bc61c502e0cc99fb46747655f4
SHA5125ae2e8c697c2ddece2b3c2a1b1bece24b712c948f33fc4c81534a24fde391cd79333561e5dfcb61be512a62c8371ffc6d4b88eadf20505052fc1bd9cf1559314
-
Filesize
840KB
MD51128963ee11e7dfb20981c49461e42c8
SHA1b5ab751a64619f64c8af8ad4ea2a4123cddcb7f2
SHA2566555b46bef90ea877617ac17dfbad2b3b5dc055580f786da42460aa6d780d77b
SHA51281fc9858c55ac78d44ddd380c8479a14ad6acab49d94ce6fd7abf0eecc8eee3a794ea42a9a185315579cf6f2a696a88ea67c0dbe8774dacec9ce75eec8109eec
-
Filesize
4.6MB
MD5cfff2f688684d3c5ebbb8322a483e336
SHA13a9c5c1f5643eac81ab2015311b577bbc118c9ac
SHA2564d9bb3fdaf1341cf9819033be44fefa356de3b97848596ed08176a9370f87dfb
SHA5128754e01e9f8e6e4d3dcd5b9fa67722d5c6e688779b1a8c1f6bd06f381e098728c54986570ff5d7bfb03c9dfb29cb6a0919c2b57fb1f4e38e9df3a8b095d4c884
-
Filesize
910KB
MD5656207137c5ff3a26ee06a1d7d3a354e
SHA14c70f0dd0362fa9739c455ac90081a8cf6ffbce1
SHA256af46f48f63e58f456f17f8d1d4005d7e56446cd54f174d3c1597627684dd3bcb
SHA51204ee4b4b8bd037aa1ccc274d3ce9d6f5f648ef3a7b78bbb725d62c054c8896d726915b06121d87fbb0bc6605dcd53708bb20691557d3333c63d63931589025d3
-
Filesize
24.0MB
MD55dbef0961aa6e01c3c6d361aec5394cc
SHA171d65f2ece14b6e07becd7947500d335700d2f0b
SHA256574121bfaaadf8a0575b3cdce09679c5079870f05a710957655936c80fb79e0e
SHA5122c9ccb5156e128f54258df3fa05c312ab59a7c58098990f9a0535f070d6150443d10665c0cef00cf4395f366ad60d4d6d989ac7b222a02e184665072f7346f65
-
Filesize
2.7MB
MD5cbef32668f2ea562efee6549fee19560
SHA19b224c524680259cf5c3033faf35aa88a12db6ae
SHA256f1dfbe827407a6dac83df28434aa5f5b817dff467e8bb447b2438e6612fdeb18
SHA512b2675b201584306e0b59b35ad68b535c0d5bcc33df198bfa1eaaf9dfdb66be1d9b6a02efa4f2c551802111cf6a00bf0d1e1e6db8bfef7f30f5b2ba129a76daa0
-
Filesize
1.1MB
MD57ba7efc65e2e0178b4e518e4ebb8662f
SHA13c37f5d13d3e752ac34c12a7f055cc8485d931d3
SHA25600bde50667707e5caa6d1c5882bcf516ae8987a8287325c7395c7a42031b8ca2
SHA512eb4695cd59bff89afd5f3740d584cc4a0f051ff6a94e601f536c519453e6ca568011103d8a103bada8935eb59d316a47e9bbc9afb24bf2541f2bcbcd086bac48
-
Filesize
805KB
MD5e240b1002f7990d3a2fe4b0d75dfff29
SHA18f5948eaec4a37dad8287941af935183627d12b4
SHA256750edd3ddf9054c37cc94324f8f4a599b1e23974048b84233ad2c917700639d8
SHA51298524020b20f0b64ac7a31fdc626a2239c592ec8e874c4189958bde15a8272118fdc030a43edefe91f0db11e8785a9530e58cdfd7b1109daeb91b833002d49e3
-
Filesize
656KB
MD5199111edbc3e106e95ff3502ca4f513c
SHA1dcde5335a472c5910e6f355aad4527e70ffb4775
SHA2562e70d4cc53b63bd425ef70e1c07ebc69cc9da075b7092de35f297d26435b4e53
SHA512a0a934e731dc6fea34902151f781680443b5c63427f5634513521296b1aa97dd586fd39b521899496851deaca9685cb2f9361b6cababe13f84c4d971da8cc32a
-
Filesize
4.8MB
MD52bde50fa0de3b80a99d30bfd48b55593
SHA1fc77f87d53a30e7365e501c276892e8fb0c669be
SHA2566a0e83cbd4460d9a79cd6e58a5fed65b2ee00712af42a31f061e36c1e8c2d33f
SHA51287d33d7be2efe4d293377e8d3994faee818f0a2fea2d40dcaf9d6e07f3147b43a7a74ec482ddcd7b1b4be27ba328e9edc5999cff13de5fdd9ab8befeada4b697
-
Filesize
4.8MB
MD55d95c4857e9e486f776ea9906f06da7b
SHA19d611ace837f027029d49fa20de9c6ad587a5417
SHA2569805a99ad0780aff64623f89940cf35c7a79393e1d50ca92925d42eafac83fc0
SHA51248de0c7c6402f286bfdbedcaeaf00612f033c2de53b5529f879273d8ac1634fad253e31f2b5750c56ea91ea2fd58d460b8c0efdd5a7ce8ad5eb0d048fc9813c8
-
Filesize
2.2MB
MD599d9737b880e6c3033a8fd5baa02af32
SHA1e4d9713e38e5781123d29c52c47b989306041fd0
SHA256d354d1e0a388a34986ccea5cccbfca5117867aa863d3145ae86d9a2ed01477f7
SHA512038ca37558cececf9e18ff7feb446f78726322168752683128eda9a8a3ee9917ecad7b678d60a0c895b8f40bf039e3307fd053da108bebe00d76e761eb53c5d0
-
Filesize
2.1MB
MD50fb0e6c0e6663cc2781f2bd26c0753d2
SHA14febe2f816cd2259cd21254e879f132d18f9799b
SHA256c2567909b691d83888eb0248c1b276843165962a95635db599c260dd6c8f704a
SHA5121a7112511c11b9e6a734a093d30ec8752ee0eec2f047a586163b78c3b450d9d6dc7bdb8ddf18b55bbd5d75d18db21b62ded25fb4a267a6bccbd1d16c3113118a
-
Filesize
1.8MB
MD5471910c409009e792f63bbbe5e30b898
SHA1010f44aaed760fa2dce8689438b582e8721243fb
SHA256ad7c5af94f478144f550ee330d443828bcf7e621fe63fd122489434b821c30ec
SHA51227b8dd806b90bb4781967b8aa6312eb245a9b9830f70b7ef842b870e10b68e941e501fea4024b2698dbd99175bb595a9f7cfac8acd36276f0c80698c182e49fa
-
Filesize
1.5MB
MD5d5046609c892b1d8ddef092224a319e3
SHA102f4c396dd3b49c6ff8f2081b8d6670c61e21482
SHA2565da8dd85910c899614062e726a4e5b6c59f7e1e6f35d4805da734955a49bc10f
SHA512397866b8e654670bc97de71df786693727c0cd4aba63a11f5979add31b27c482e2f827ae7d417a046af3107e928f23e5b5ba938c1e48bfeb01e161d05959e60f
-
Filesize
581KB
MD5e619f04e87873234e534af1f103c7a37
SHA1384847efdf1aa5977e9e82ae1563cb88335900a3
SHA2564426bf97c79e70da5bb7b7749390f320c216b96e8a903da9831922c93154f84e
SHA51291dcd43d0d917e5786692f8bcbd1ae507ba0456353959dc6a695a852123efd001bfa6e81025ad45cca807bcc39e3eab8b05f4434a7ba2193a9361dea50e6c189
-
Filesize
581KB
MD5f11a249018403e2a0b21b5efef5f8204
SHA15c47eb78a324cb8a8f80ca1b80eec60dd5df2605
SHA25661eba7f68aadc299a6f04d5349cf1d1b8ef09b9e5a1e4863bb7dc555e39b3db3
SHA512a19e0aecb9a2c951e7d72143befe7f169ba417c73516f1442b2d1bf56dfaf472d2ee257663dfa458ea6bec2bcca87352e104c963c43098fbf7f1b284f2cdc003
-
Filesize
581KB
MD5dc07aa5e3ff35ab022f78af1ed6c4dd4
SHA15407389ceb7c49f555dd2743acbd116bae0575ba
SHA256377ccb5e4ee0377c991ed66607e2546a9362c3b4e48aa606a2ca63fa625a4ffa
SHA51245afec8535bd0032f15a7080b659e9ec2968df3657e3155d27bf5a42a7624fe2aa2975679efae20825a4dfd3ec5d1038c46b48835884258c240efa5b198ceaba
-
Filesize
601KB
MD58ea5d85560add1b51f9c2777c14b50a7
SHA1e16e1191a152665a6ba1b0292e8742f1a4d9e343
SHA25626b0ebfad283214096bc72beb38849dc7e9aedea413b6f24faa5dae029deb184
SHA51294c083d2ed8ef0985306d11edd2863da9ca5668352cd4f21f6a336a99c859a79082b79a6f9d2c5325988079d94a6bee506f61d898a442c8886f95e5a90a04d22
-
Filesize
581KB
MD51d6d793d4066600df5ed8969db68b197
SHA1666b93c9d5f0ce18ecc7245ec379326c65e5e795
SHA256dba4c9124b43c9ef499c11a2e6fed5017b660800765f7c4a8ead5c9135a73468
SHA512c38399e94fef6ec5507ebf7ab591922c8dc5b9f0f1d0ad87b29d564045a91746b058c450b334dd507a6bcd05e99776eaaad7f82495a3d5346ef6e41e13a858e0
-
Filesize
581KB
MD5435b8c5670a159dc9fc81f83478c404e
SHA1065387a9a1784f9d5bc9de443e7e5777aaa79eee
SHA256a17e6740a6bf6c3667fb5e197d85ad8ea0372db3e5978826aae70ef7eff87698
SHA5123ae1d56049f3ed3425e960334ebcd8700f22478eee5f381e0c2a9ea6193448c5ff3bf7f0f1bb2e81ab8da6224476077c213e4cbe0dadfcbf7ad206a441e94842
-
Filesize
581KB
MD5ca8dc96d00cc8d3aa3636bedae4688ae
SHA1d466913d8c7aa34c0eee43d6f2ee8a08d52c9c44
SHA2567457913804eef4becbffbec8871fb70151018602521542d3a4ac83dbfd6d86a1
SHA512f1fbb5ccb04d9de9c2908477cea7caa594d54144638645784d74d54ec14dcafe1b9509d3064599d3db348aefb72282a766191d3b08ad87fa18c15d361d4f08ae
-
Filesize
841KB
MD5265f9ee302322c7424570ac23e0ef36b
SHA1e05b25a3c4641b7998dbff22f01ec84036709c07
SHA25684f9993aae26a3167ef8921feda6b8f2e55af40c29137fae239f957ffc7f760b
SHA512e659a7a354c3e88b19dffa64ed258fcdd10f1cb0b7ec1d2b931ddf7469a99b204de9eb6b413daa18eef33a02c94ef75462b940eaf863cb0adbeafe82635ef258
-
Filesize
581KB
MD53f92332daf11923e8cb4ca3e10a49982
SHA1e3c08bae86718916b5f3f16c89ce0cede59e9bf1
SHA256d765dbb63dbb3d4fd5a905accf1349fdb099a0b8523f62b94feb43d02ea9b338
SHA512cbf9b42765f46279170e7077bbd46d5b726856a4c05882badc2acb6c204252f8f20c6e596097db3572e4330a855c98e1368d09801fa145c8c3c5ca5c91f3e709
-
Filesize
581KB
MD516ba02e9bb717fa1ce0320c94b3a1a98
SHA14d4c6616f4c668a006507246e4bdd2c9038d2bec
SHA256ffd44b7d36bd4cfe41d1b6872fbd0aec34ccefe737f338865150761b72d7259b
SHA512c5bbbe419968e29bbd3fb856c24683b9f659fe5bb385cee1341891167735541de4d2bdc4bcd540440fa1e75d5d3677acd1a908f728ea9f4685623c739f4b901f
-
Filesize
717KB
MD5b04fd402fa9aae8a3021073c7a952f5b
SHA1e2763f083610dbe3b143703dda214855d4577d96
SHA25664db03c1d73fc9b08a5290bed46514ba4af5040d9f22f4f764f240bc85394cab
SHA51215153ad0dc82c2a06a4f3b0ed60d167e19f0103c8e4d978bd6873d22d0b75421de4a7fd4ea4ccb8e16ad211753407b13a63e8cd625ec347b7764323d256460ce
-
Filesize
581KB
MD5ae2e7480cad5662daeb8d59e475780f9
SHA1a51192b5d7ebc9e9bb0fe31d15ccb1983233fcf3
SHA256257ca457170643c0aca9c7cbd6d433d53d282e70e537557f7b351ce58f0a2bee
SHA5120f6b2353541d0e093827b644311a05a0af7941ac7f45a3156491c498d6aa1f612cdf1adb68d2ca7635362713848a6f21f83bb10989afc09cdd6f624adb51ff59
-
Filesize
581KB
MD53a122ed30dcfb68f26399547580f28b1
SHA1250c30415438f3ce5a3de26a937510fb5857f507
SHA2567b1ece6f79dd513205ef15eea638c8bb06db162ba8ce3f2461d6528a0df75979
SHA512e02df31d751375048b64694ba43b0122d72e65b08994ddd2ad847e7588c94b4b73d6198d8f26461d5a78901a127dfc1a631d6b9c0f55db3a18a523ee5c5ad7f7
-
Filesize
717KB
MD550aa7f7c9d78bb28174b889d7fbb51a4
SHA1e214391dd9635727a5dfec7832007670c22dfc4d
SHA256235cbfd0386d00c988a9ec31dc9d7a5550004b75d4caeb4ecfeff51adcac7dea
SHA5120a7f8a863e5bc4907f4a7132fb416c3344a5f810b70faed43ce0bf6d2ee0f57e95d2e7f966eca792653044319dac329311f7dceece7af834fe84981176ca40c3
-
Filesize
841KB
MD56d2454de7f4091da85e689474e5405b7
SHA1e2c7e72ba5193f8b586371da687a060fc8c0fd67
SHA256567b86d3a2db38382a46742a6db7ad020371933902c58eab9fdeeecd9b2f7fa5
SHA5127c4d576479814213130de0a30c3e58787348da6f101bb671007f7411c2f258ba4ebfa67c3d30e981376e031bceff5b109acec86f36ad09df8ed490e7c361b117
-
Filesize
1020KB
MD56c41c6d11a38d2e1c3dba4503672926a
SHA1a9e600aa1243f3097fcee98fae583e25a2cbccdb
SHA2563e098e30c757331f8db086a142eeaea625fea22cf228fd942f9a90ec6e6601f6
SHA512570267bae01b00c25417644492250500690f22467e94e3a8d1a32bdc9046badc3f697d1d611c070baa19b41cb18a23b6696c6863916afc95bf9d2ffa7e5d6875
-
Filesize
581KB
MD59517484a8a16612011e7c8ba999e044f
SHA134d967637895c5d926c3aea4e26a9990e8d570f2
SHA25626957f9cc5ac940ebd4563643d323ea1c331989f8be26376130a94ec700b9103
SHA5120fae1a6803514943c6746b5e1345380df82a7c3b2cd597579c3e894dda4aa11f6682771de983e8d8a436446e5a66a65ff683cd17c424d05c61dcb5353d544138
-
Filesize
581KB
MD5505db04af51a77660534570c52c2fb5f
SHA166694b61e7d85ed5023aabd7e94eceabd9923d6f
SHA256968dd9717a6db837a8c4615c155a2bc119320d464135f89407747ea5f7dc4e9c
SHA512812b281e387dfae03a0891f44253eec015b2fc878f97b788c2ef994309967ee6bb13cfd9578bdab87b05581daeb8eb151ffa3621069c3af9a58aeda67214c52e
-
Filesize
581KB
MD56013aee382db1b6f973e493e89fed686
SHA128b24590721e7cbe8d86f79f9568ae31f25e3ad9
SHA256f7dd9cd72edb0bdb790cd2b7f1a89012171599e69bed6f89ce25e7d0d6b3d31e
SHA5122bcbda1beb4fd444897d3bafa0d9c19e0da753203eaa336f7bf34cf5bf8a2670a44e96faeedfded555385b1001c010347498ce04d67f1caf2196300f7d98115e
-
Filesize
581KB
MD5ea8864c156a419384dfa5e67f2f39e13
SHA1e2428faf26c2f3bbe004c24e56733922f8e2cb30
SHA256d1789a1caed80b38aa8627fcb2405bd5eab5ce159fc260796e3954aa1f7336b6
SHA512a0fab285be111463bdc7433ab2ebd7483b301b9d89b34af6c667599ba5894bdd10d9cfdac776a069c8da71869a79f5bfbfed886ea2470c278526ea64e00e2a0a
-
Filesize
581KB
MD54cc2f7c1508eaa4da809b5024b9f6da2
SHA15a69ab3cc442416dff93fd2da97ce8d32c490e9f
SHA256ddbbd3a7f9a19da4aec33fa56ae15a15b451aaa3f5e230a885da2009e8d2880b
SHA512de13c596b3f2b25beb03ef101841cd87548dcf0080f495b2f9290cb680d1ae9b28eae141ae1453cab29a775a791dc2e3f59688f93bb98b3e813e06eb79edf91c
-
Filesize
581KB
MD50c2e21cede9951f109221741790568d8
SHA13d24d0968a178b680f6145510ef673d0785fb4f2
SHA256b337274a028ff638a0a437ae2d9bc6ed5b4b3af51e6941d6f341620d62270512
SHA5122ac5cb68fbba89f62bfff9b7dd4c43326426da04ee7e1ad51067d7205dee899928d0dffeea0b4e070b389822bcb124d6598c3cc50a724b827983e1c2ded2c757
-
Filesize
696KB
MD5540d392e1b392bd4aaead4be51c69a91
SHA131691b717e65c9f26d657942f1f142b8de443815
SHA25623b7758c9e135d61bf58a30e44998821a221612dd74ed27685013fa5d1da9b9c
SHA512d1533140f67106c940ffb8d5ac91b3d3be66187a8b67edc125a655d3495245422ffd13a31092fad16d7b5f6da97e7c17d8dac45295825207de688ac2f865d290
-
Filesize
588KB
MD595015faac6dc294dc029a2b78def71e9
SHA1d8973a824e3321bce23f5f52f6aa6049b9abd476
SHA2566bba33884aa96a23157fc3b15d00babaad9011031b08af5e462966c5ac55814e
SHA51254494cda210f2b1be88a0be9f0740107585153772481a1e0bf9eed91784c826c377613212ac61cd48faa7177d4361debe72666a804f1109f9bb1f7c0c92dbf56
-
Filesize
1.7MB
MD5840e4dadec0de2d627f454144e176101
SHA1c39763036f5b490b5f120218cb979ba28fb50d4d
SHA256334ce62f24858d8a448e9c9d155a50b9dc9a911ce61ebef2f0d1346b50bb4dd5
SHA512701dad2a49bfaa3b1d19ddad66ed109c48cc2d06d00451c3b5d133c8198b063c2d1314a0c5154165ce43316c7ab709657c79d2bdfd03d6db7988c286caced536
-
Filesize
659KB
MD5a11bf1bae3bcf2671f79bb1c72c4d330
SHA1f483f2a8efe0c35f927c7fa4b20c9d398b6688ce
SHA256574130eedce21d826a840783d74b2401ada23835d221189aef0ffcb2b7c3aea2
SHA51233b9c2e6bd92c15ed6cd800325cd357c32483fd11dc9d3dbe832842f86935b9cb6e421222c4388d54339f2d7878639e923d6378671e556ab1533cce05493388b
-
Filesize
1.2MB
MD5c785d4b832e6f65cbd34a780a86b8b0f
SHA15bb3c5e38f2d578fba8a0a70b9abca8ee3c6474b
SHA256853d0b493cbeba94ff5a8d91207e137f0d36d8b7ab615af6c5f67aa675f3873f
SHA512ba28d739c0f79067b44312fc4c09adbd9f9ca196f7f909a58fdf3f759dbd05c1349070b9a36537ab088ac1f2b73d9920c21bd4abfaf369678ebb896a7726172c
-
Filesize
578KB
MD50ac98c4d247aa6053eae757ed32816f7
SHA1e2193b826bb0d30b112363221e412299b3918d59
SHA2565193b45604a6498f1173a11a42c350e012cc0f5b19fa9f30dfbaf607198c7ad8
SHA512d671b454efe5c8e73a7b426fde02b5c6dcbed3847da83265cd8f034caeea558db43dde5b481eece4fbe99e62630c84e4ec704d0ac8941df01fbfdff5679d04af
-
Filesize
940KB
MD5939a148852fea7ae1226e88ca1bf24f9
SHA16046ea83ecd0f96fdb27e8de0619ecbd6a778656
SHA256f73304c1dc7912dcc2b9d173748c4616cc104f567e8b5406389f23b9befc8327
SHA512b34a7b27fb95e4194f5edde837f35b727ba3082c9bc024b9e43162d16978541be2028ad9e4cab12c654e58622e11f946cd6ee6e0ba82b4d64ea57b982e6e0a48
-
Filesize
671KB
MD59ea824f13fdafedbe7f17b82c97accd8
SHA19b8c0c8e5e60b600c76a098251443de07e5eed82
SHA25631f508a8c59785140ec9e96f8d557112f1cab43078edf3a306c36b80ab28860a
SHA5129c84fa061d3805e3c0e23050b4c817367c2d6d11a960e520c209afa3d0c479cdd5fa0ae6a3d4068b0d6a7bc3799eb7b661ce136f3e678760f675e37fe15229de
-
Filesize
1.4MB
MD54a83de27de44fef88b7888df0437d067
SHA11c1a2e61beba2a4a8deb6e33c5b714a4b47c8b44
SHA256870e9808cd57e3810ea88c2838884025a9ab245f0ebbf01c4234a32b31cd1fd1
SHA512ccc91e4896785a766dc632cd485ca503d1d2da6c29c194c298a2a216f5030156a0c86dce644513bfcdc08ac88d29b630e97dd112ec876e5e3e8348c8bb9679b5
-
Filesize
1.8MB
MD58ec1dcb11503224913084383909f4813
SHA1d65f746eaf20fbbd1cf8b83581f64e0765f437db
SHA256d905f1a441ed8102a2ba6d194ec46e9c557d2d3dd528b601ecdacd7dfb6e7c10
SHA512a604bc19ddb999556245ae0dab4f644ef75d6dcfc2c42e2c0e4ef6cfd2a491e53bbdf80f20096ec9c48f3b8b00f4d174d80113d1cbef649d556bcfe4fbfb7509
-
Filesize
1.4MB
MD5d42cb5d5b3fc5ef0d9da5ad945caa7a3
SHA1f0c41759778bcdaf2693a992d06d0e5e52789f7c
SHA256a913b303515622082904133515119819ae99775a039a0acac58882dea517b4e3
SHA51240d2a13ebcfb66e143579a20e3e3b4289db04a47dc3b750d320bbf6382410a37500ef7b21bd07ac32621005921b3cd6fff2b8224d858c015ab56fa229f10d932
-
Filesize
885KB
MD5ed0b22ed4a19e2bed217fcd695deb921
SHA1932bed0165c1edb01824ceffa55d2c8b22f3181a
SHA256aa1c05b3d6c255079e94b8cfa3766db31834577bce9a2f1f6dff331b1c1592f4
SHA5124762b9a1938144b85ec9bcb4cb3248ae74e015e781bd860ac398e07b321ed6a174744e04a5e7cdab6fdfc5132db79617d8d3981d83aa76a1a8fc678805a50ab2
-
Filesize
2.0MB
MD56220aff709bded9f3609c4f62d0b404e
SHA15c99c55bed69bca6c7d7d39fc69eeb118f83609e
SHA256677e025436278b9c478833f091bfb9096692a0b076c575eff27d4f347b280a04
SHA512f21eb41d4192945fc6b0aee188a648bd384f4b1639808ed058b39950f5dac9ff14b244e2e8d54fb19c51d6278c6fb8e45dc5b500efffbf8cc4ee5482a773afcc
-
Filesize
661KB
MD5f27f97bceab89bd9ba0380952b13bb10
SHA1a53ca52f381b339035fe1b1c22d719008868d430
SHA2560d1c29c179112d67c647dfe65ffd100c5e95218d6368812e38842633a6b07f25
SHA51249a30441c574c1df8a49417eace375ad71e5bee8a51120b349b0404adb295a53fabce99b21973f7368c76c3fc93a6227d2df40a481ac363a680c7f9794b4deaa
-
Filesize
712KB
MD59de09e847f73ded0893191999780c465
SHA1a8c9558615a9a668ae7c7ed73e653db5bcbc0734
SHA256fe5c141303dd9f5029be4dcc0706d31bd835c2828dab62db95ae25aa503d9a7d
SHA512e4cf1efaa0bad44c1eb936ea45b98fc4201a6c9fdc066deee2ba591300d81f66f8b634ebd5442783397d670e6f35aea8aad7cfee242762bab3430d6fa8f751ea
-
Filesize
584KB
MD558dbf9b8eac55594a9bdef776b60d667
SHA1905798509cef8a9781f37f05df450f856590a4c0
SHA25696e56b78d32fbcec2c6517a70198014da174e71d744e593a3564616a64a1eac0
SHA512b0f900ecca99a1b6f6e007c61c1a4607e0070582990313755396fcba9ff8e55fb15a517867f0e317e9632c9e5a5dfc00b8211e97c0964b596d7a8c8868a64f08
-
Filesize
1.3MB
MD5c81f3284be4fc328989e7f003c5c906f
SHA1b013bf0d14ec88a37e8b630f4a3ed45dc9155d99
SHA25684da4a7f10ae71048229e41bc1a094f4a5ba8c3efd098f3e6577105664ecf26d
SHA512254531a7799a093fc46d8b308483cf9bf63a6220a8259ec2542038bc692e8c7cfe1b9c9ebdb542b3e98357b7cf1ae278546b86d4cc9db3c09226a297bce962e1
-
Filesize
772KB
MD5df6186b614bd7d71bc245367099a2152
SHA11de8f15aca21e406b284d723b6ce416e0eb4478d
SHA25657b565a1feb2db511bfc17408e53850a514d1f5ac82ea18a1f856a23adc84a64
SHA512defd6a6d97fa4dea51a4791646a37134e2225d84289d8de668a5404925ff8c63c00a51de1c6dcb77c0df13a1049d9eec462d36f38c9dbbd1fdf98352707ebf85
-
Filesize
2.1MB
MD58f837174757e86b04483b36e5cb97f7e
SHA1b544703b5a13f2a05f3702240c2e7e205ddf9a2b
SHA256656f51c67bec28ba42f098c5ea96dffd45a1da8b6d267d3a75e75cccee209351
SHA51294230b75472c6157a62097b2793ce415e3486a4f50c7ff540e147e0fd31053a5b60352eb6848a1acb3446e6e23b9cbb3dbb50ec021e614fc5c21faaac53522a9
-
Filesize
5.6MB
MD5ac354e96ba4044a3715ce6b6a51f2016
SHA1aee56cacce8e40c4c5df54b7d43e1b4c1fb70ba4
SHA256596b1de6ecbc1d79a50f7d9be3b1f2a7af5fb16f3c5c6f515bd67f8733fd8925
SHA512319cacbde06122c61cfce4f8e2f41475565bea2155f86a851848ba0a520a8e02c1961e188117631270e3863628e966d66c0ec57b8811b96157819b008b2f87ef