Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2024 11:14
Static task
static1
Behavioral task
behavioral1
Sample
ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe
Resource
win7-20240215-en
General
-
Target
ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe
-
Size
706KB
-
MD5
e8b9b3b481dc2830f0b49b673becb85b
-
SHA1
65bdcbe0233bffd1bb40417cbd470160fead37b4
-
SHA256
ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0
-
SHA512
6a0376f7b773d5dde3fc566feb2d16b6ab541ae2e4d271f368ecc955ff09fd5e5c8c458ea5f5596e53bac8243cb72c5f835cf12daf25eaf9541af98604d8683d
-
SSDEEP
12288:KWiB+tmPr9SsFNHsyT1C2y7FdTuZoh1FW2qNcWVHH67QwE8iso:KWiBvPrcKNHsyT1C24RuZ01FW1cwWDF
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2116 alg.exe 2264 elevation_service.exe 3992 elevation_service.exe 4208 maintenanceservice.exe 2948 OSE.EXE 4448 DiagnosticsHub.StandardCollector.Service.exe 1576 fxssvc.exe 3204 msdtc.exe 1396 PerceptionSimulationService.exe 4516 perfhost.exe 3952 locator.exe 2696 SensorDataService.exe 1612 snmptrap.exe 5056 spectrum.exe 2068 ssh-agent.exe 740 TieringEngineService.exe 1844 AgentService.exe 4144 vds.exe 2940 vssvc.exe 4396 wbengine.exe 1092 WmiApSrv.exe 1524 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\eb9331c37d34635.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_74000\java.exe elevation_service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a588954dd93da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008abb8b54dd93da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001cfd9155dd93da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099118655dd93da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2264 elevation_service.exe 2264 elevation_service.exe 2264 elevation_service.exe 2264 elevation_service.exe 2264 elevation_service.exe 2264 elevation_service.exe 2264 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4848 ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe Token: SeDebugPrivilege 2116 alg.exe Token: SeDebugPrivilege 2116 alg.exe Token: SeDebugPrivilege 2116 alg.exe Token: SeTakeOwnershipPrivilege 2264 elevation_service.exe Token: SeAuditPrivilege 1576 fxssvc.exe Token: SeRestorePrivilege 740 TieringEngineService.exe Token: SeManageVolumePrivilege 740 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1844 AgentService.exe Token: SeBackupPrivilege 2940 vssvc.exe Token: SeRestorePrivilege 2940 vssvc.exe Token: SeAuditPrivilege 2940 vssvc.exe Token: SeBackupPrivilege 4396 wbengine.exe Token: SeRestorePrivilege 4396 wbengine.exe Token: SeSecurityPrivilege 4396 wbengine.exe Token: 33 1524 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1524 SearchIndexer.exe Token: SeDebugPrivilege 2264 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1524 wrote to memory of 5404 1524 SearchIndexer.exe 131 PID 1524 wrote to memory of 5404 1524 SearchIndexer.exe 131 PID 1524 wrote to memory of 5428 1524 SearchIndexer.exe 132 PID 1524 wrote to memory of 5428 1524 SearchIndexer.exe 132 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe"C:\Users\Admin\AppData\Local\Temp\ccbd27efb9cda8bc5c648cf4bb0cb05b4923c9bcd2b420255378f0b19c40aba0.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3992
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4208
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2948
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4448
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2180
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3204
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1396
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4516
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3952
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2696
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1612
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5056
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2068
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4000
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:740
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4144
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1092
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5404
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5428
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD568313f6fe3a51aaac41b969873089b0b
SHA1c32e87af94977e4f603e4d19571a65f75376a173
SHA25603dfff43e423d60b5167ae66cde29f2ec3b9dd37cabf6913e4c920d53becd2dd
SHA5125a5de9ed48b3333d1aa222084f36f7777efe7bf10688aa90d598e6719525b7d628d573bf0598e8350977848a2e78dc01977fdd6d2a5d772e807fe6014a07d616
-
Filesize
797KB
MD5722109302a226a32156de9e9091bcefd
SHA1efe80577ee4639e278f65d9cea563af96004c4e6
SHA256c59c58c32497fc530e8f8fdba670380e50f6fdf2cf1005c70101af165ccfc062
SHA5122114bcaf53f1caab3226804e1096e5ecfabc9c03ae05c359d56b3203b82e1f91f28b2358d1108074f3b4afdc3b94991b7efad57b52cde581ccb5cf73bb524942
-
Filesize
1.1MB
MD575318213044853cb3c3af2fb44676b15
SHA1bea4a179b98849b1c841c792dee6d749b009cb67
SHA256a80c191cdf0ca9b73ddb8e9fa1a7536fc1709464bf062ba1556c576fd7c55fc7
SHA5129d9bdf0c7b575118fca3a8b98d04d0c73bbde58c0728813f58f8ea94fa2e18f727574582a23e143c2346aa82fb3dd9cf7ed0d09b77aa584d2a96fba23bb650d2
-
Filesize
1.5MB
MD5d1b330089f3071ba1015ffc9617d8320
SHA116cc4d399feae590335783e551ccc695644ad98b
SHA2567053be9b2dc911f16977440492842e258ed0c76b9ec09a587af605a61016314e
SHA5121ced778fe52ed3fea3586dff3a52899431d4471c75ca9ffa31a90d6976d714b8c7e9f2d08df058b28c53b3b23c06eb11fce2077aac8df69e61106547e014a78e
-
Filesize
1.2MB
MD5e19821ca6306161a28c638a7261affe9
SHA1b5453376891deb1734fa574c365f886a76e168b4
SHA25662eb218d65a834722fa0f835bb8166c08f52f4c712b3d14faf21d331c358f28d
SHA51295d6629bad53e469993f37bcb9e9d660d3cb0fffcb653a8ffabeb42bc3b86919f668cf4576a6af3a848cb21f36a88346b0d2f44ccaf7c683966a8496256969a0
-
Filesize
582KB
MD5adf3fe3d23faf5b1b8efc1fefa3d3d4a
SHA1d0403d9c2bcaaf7cfa5c8cadece5984597add60c
SHA256c100b6f1ca135b2b5c6574a5d7c39ebe7741ee132785db5e6821e952beba87b3
SHA512e99cda06d1857325fb98f1966c695ef51b52946477a309d1bb884e4ba8d14303832b70e427a92564725e3759cd6de08bb161f4ebe7208f3e506bf52e9ccefe7e
-
Filesize
840KB
MD5689fcd7c9c0cc7924f50335529188395
SHA13b2d0aae5472a6021906d34a9ab93d5ea82808b6
SHA256134394d1b75d20efaf410f517dddaa78b2c47c7cb430aeb0eed37d61bcfeb1f2
SHA5124e98412f7de99b16e60bf31ed7eea58c74ea81989bef305e92911f2ae0166e7b95bd9072406ed142305621925cdf5c483b33009b9c4d732f613af7876a2f5947
-
Filesize
4.6MB
MD5cf86d547b90803a432d48a3f871f74b5
SHA1399c99f434755bc453d74fb2f4cd6a3d0b48af3e
SHA2561f4ab044420d7a20f7e2e80b6d9e83783f5abfa42d443064651caa50e0d5e789
SHA512ce0a037ac3ce44ebca35e01c2e71c26be902d03381d6e867b39356b8795dad81444f069c9bceff358af565737ed5e01225e85aa5f4bab784ff896431f8b0618d
-
Filesize
910KB
MD59bf14bdd01a9308f60ca3af2e09af4c8
SHA1e8a6c8dca41261f4139b6f7dc469de4813cb233c
SHA256affdd3a8e5ae0e57a0862ea7f3866606cc314f9a8760e5f18eaa40e93880d665
SHA5127880978ed9c2c0aec8f629a83836adf6f3f212263d1ec2e6d6c1fc049952ba3cdff997d69092356b7eda19c75af2bef01f9c31a5693e14bfdcc934d51ab8b10c
-
Filesize
24.0MB
MD53aafd4a31935cd07f1052dd52f03be64
SHA10907f9f6db93f9b22348a0e31d73147ad050f7f7
SHA2566ce430611ce3c299d07bccb8d3663b028bcab02be5d7a3f39da536e58f758e49
SHA5125e0916e409e1897b77f9e9274d9d7ebad689301966f9f61e7c5a843f3cb193f7e916bc3357a01c465ff9cc7ae987ac2a0227d49533ac3cc643ad6987f2b61f37
-
Filesize
2.7MB
MD5c6ebbd80b8f86b95a2713effdf1bef53
SHA14990535defb46d1ebc5538c9710f0e3612ff4dfa
SHA256658de7ced3583ace260d5510d542877cc088ff67ada927085c0a593bb8b37fcd
SHA5125039aec0ca7704cacbb4e84bfc3927f486cb272351a1f1ada5485e741f805ed9554e69537de6068abb4bbc5397b9d33cfeab0a4339b9031a4dc1439cc2648810
-
Filesize
1.1MB
MD5ec82ce04e25b2afd630bc1289aca1dbe
SHA1ff6b9542edb411d1f6aaa39e2a267a5874ec9d32
SHA256b49099a08d192e07e30da76bb93050139e95b52462949aba1ea00b096b262dc5
SHA512e7b4b7e795dfec7e5c1bb555b6cf5825324353e7a1b4fd39535912131eb9d9b9f925c9a0dafaa482d3f09ac5a8c4afa0a7748a9807d703bec3dba30c1f4db550
-
Filesize
805KB
MD50834f07aca5703b953d3b5927f1b6b7d
SHA13ebadb88a5a68603dc89765fffee892b67a89518
SHA2565808ca02522b97ba21c57d0d177ab3799c111e8a3a4abd7e3b7c1176ace05b50
SHA512bf60ef2dae720a57f52ab18a13249f12148f45f66c9728fd3e62eced72612d72b1762050a1a81fe309f9cd8b65cf5a4f1174cbdb89cb873d203444ae5e7350a9
-
Filesize
656KB
MD58d9ade062b22a8148c88e3faa9504805
SHA13b6b8ddb945751978d86568890c93b414e7f32b9
SHA256dfb30c6123327c98f6bef5a81ecc534c3328258081629fa90e7ed5de13cddc3f
SHA5122cae1307ea8eb2db353ec76fce0cb43468c8869717907a1a646ac05e09ce525bfdbef7cba00f810eb500d30c7144bcec4dffa6a8753ad79047d7623a533babe2
-
Filesize
5.4MB
MD54d163bb9eaadf705b0932389db6f8166
SHA19028aa96443f0ab5f88f7a9fc98a12167917e5c8
SHA25662da269599ceb856b483ce2a2abe7a889b93b8b2075eb80baae4f94f116af0c3
SHA5128a45a397ac7514c3cc8c7ab9fad8fe1e5186bbe4beec736052c284f6ae87937b7321e702f573f089230581cfc1ae61285afe3c0875a071cbc1a9e3e34cf34bc7
-
Filesize
5.4MB
MD5d459c6a86aab855a63e6352263629ec6
SHA1c8e3d3f38ca980ff0da9cb846fd10f2cd1623a38
SHA256a178cbb075184a3074b185b7e18533f079afbd14b90a053f0bed7e0c1bd13c4f
SHA512f68d3bb38c657cb5ee174191a45ec87c17cafff3173a136fe92b895af1264a9ca36bf3629aa1c542b7fb3ae44378812e7646e2eaac52f1b000a634bc90c5a213
-
Filesize
2.0MB
MD50aa02a825c0eac077c7762ff582a0a6c
SHA1b91923513b4a5df970805de6418a622bbdfc0cd5
SHA256fa6499f2c0feccc7f68474d46018bc1d4b16e54fb090f8a9385781179b3821ef
SHA5122121b1daa7ec7c1265d7bf9a175a6f4892e4536abffb837a9ac8e2e8f49ea3c9c7d50a3156a981c72ca9e6c05731e73b355247f3f390b737b64563f87bf059df
-
Filesize
2.2MB
MD56461208c547b6c60114b1d131863d34e
SHA1f1aeb5b7e6bbcbe7e8d52f73eaabd4c28ebbb099
SHA256edd849670b47567c0121206ab11bcf62148739fe9ac9f2b4a9f714adfc997a55
SHA51294b50b9d21529bc4327e83ffb710ff042641de50384d60b01346846ae3fb00060d8d614882a71e409f0d5d10b0eecbddf58bb3e0d42738786768d40402642838
-
Filesize
1.8MB
MD5cd51ace496ef6bdac12a4e4a3988af38
SHA144132c3c1ac3239b0eaccf1357844994a7cac91e
SHA256e79c79924b2b69e7265a7cf9190a92926a2a8f63ab862f4ee3f07e3b874893a1
SHA5122db655a5ecea8bb4934ee7ff61ac1a23b8b8631f323bba497f75f133d40e321eadf60ae2a46c3e594744ce31e2a7a2dd5a8b3a6f8461642fa43332ad382a5303
-
Filesize
1.7MB
MD5f2003ee03d903ac18525b4d0909d9b38
SHA1a6830cfc68ad37d34cd603b21fdcfcd0696d4584
SHA25631397865449d53ffc1c44f25a59f4ea903b969f9c7b6901320e19a0ab1455ba3
SHA51234b410ad23128f8273567d7ce603963141fd7f9a8f0e4f5774764fecd9d36c8259243398588e97270afc041267bd59f8d1c6817b842005ac83f0a218fbdbd45d
-
Filesize
581KB
MD55da7ca1afda489ebe3c575a9a39fbef8
SHA118b9362b384935580f4a0ccacba0f5bb664ec538
SHA256f1d76ff79c8f21bbbfff41f31f60e0b4472fb40c941d26c32673ed988fcab806
SHA512f87cfdaa7a05c2004db7b46b779896d63f07a266491a55e56b200ff5b185390d30d5c2ef006ed5823d792d31ecf4b4cdebd406261a78551b1931306165e52ae6
-
Filesize
581KB
MD5f3eee7612b9a389111022c86b5565a8c
SHA1f7b0cecc055150e0fe7c02f0492a90639e7da318
SHA2560d86d6922d6aaa3e70e7b820a6947df4fc5e3bedd5d07071f133c39fe7a838b0
SHA512e358fedda0f4654ebb3d1c6bbb01e9b9602057a3a76300b78bf7c747dabca3dd30ab2ca76b225b9a928213f458bbae030f2f83804a1acb54595640fa5a61c667
-
Filesize
581KB
MD541c64166448c44e10409901604269647
SHA18f6621a1bee0480c0ec41e236556ac8c31a3ba81
SHA25680c3a516ac5be4eb6010c2770d52649543d04d7afe4a3010584c8bf8de60f267
SHA512bf9d0cafb4f9c9272d468d9b939f5d205281f6f3dbf2c4d289babc550314f8c44d691fd2a2c55f92f39d7f786a1f8219f3c31de95374e3c1469dbd686a10cca3
-
Filesize
601KB
MD50132f106f4926dd4e419210b5b2a8a7b
SHA19274ec0c78cbbb8f48b4b6c4d9fee0b0f964aab0
SHA256ecf6111183cab1d6a5be5145953e08aa7a0267a4fdfb2829859056123435f7fd
SHA5126d96114f6fed50d839df43338cba8bdc7c77dd7e42051967bbd167557961fd70713da5d43c97513d165ade067298ebd4faa5896752e5e7bb81edd1d16e406be6
-
Filesize
581KB
MD53cb51a413966a92138d89ac9ff3800fc
SHA18b2a7e23730113922f4dfcab354e47b4f4879791
SHA25689ad6d19600782ff3785a8f0060c3394415fbc75e482eca8214ac8b90a9926a4
SHA512af896990f59128ed15abbde1fcdae69c3eb13000d322cbd7d5d9a10b6d386ede01fa77d4d3afea4ed45d7bd8d456c1f2a8bef6500fce7ef873ee4c2ec88e8b2f
-
Filesize
581KB
MD5c90232d33e0182d2f7e9ef57fd751550
SHA15261b18f592ccafdcbe8ea66def2882628927236
SHA2564fbf3ebbd47f33998de5824206aaf075f66d792447f6bafd9fd05dff727d6729
SHA512034a2b1ee81ae39d51d53180b3b2e1b11024581112a1c73cf03aaffea3e094bd77b63d55d2498b3ab7201dc44f164911111ec46209b32d4d99757d2852a25a83
-
Filesize
581KB
MD5209044dd90da88277577aea317cf348c
SHA191aaed72f3b00e393ea3ff8615a5c962d5761e98
SHA2569c61b20098a019a79f9e47170bb7bc7dcf0cd2f313347378cb172abf9af7203f
SHA512eb023b9b4ae3fb26d20784acd1b74239ea1fa7687c98e0498d0c6f07953c60d9d858586f00a4046d308b0b17a1f21061706bb3dc078dcabebf66548931635252
-
Filesize
841KB
MD53fe937438181015e81af1fc8c4de6546
SHA110e20cb21a54eb8d4870dc615b3cb2ff14932091
SHA256c21ae4cedc3d6a82cb61bbdcb66bdf48d0851c9268f254234203a9107f025522
SHA5127d51c510a1c1618056f87876f877d8332be766b741213b3bec6ff3a9367f28ffbe708052dd43208a3cbe2cdc43fedccea3e8cad8a60baff10be38e581f184ccb
-
Filesize
581KB
MD529cb071c6d8b31395c79a115ae96c05d
SHA164ec30a3ff11946f43b26c4574467acb452f6b76
SHA256a5917ad515dc907ed66e02b7fd6e7ba8c8503f3031d9c145259651b76dbbf77a
SHA51208373af63e558f01b39e475b10332b2c47095703a5673baa14ae6a6d940974c352e26c82a78d8d4380e0260e90cc82218e375d3b5cda148e39365cb69cf1dc81
-
Filesize
581KB
MD580baaa62420d7ec5351c48790bccae1a
SHA1ed55c2c91fa9a20765fc3b6a247531bb530fe8f3
SHA256163dafaec26452d3d9477a495170076bb60da894e4e507955f705e0ba1e84137
SHA51230f4aa8412b2540d061230dfe74dd0be19e6dc3b056f3eb44327935048f2d9b46cfa18ded3acbe1bafd19c521c2546f86ec79cb0ae1b8c8d10a09f3739ce4240
-
Filesize
717KB
MD52042f6299407ab219f23ffb0b8c9ef0c
SHA18f2880bc8dcadd3a15c16d887e7554eb1ac345da
SHA256e01a9dabdcc1624f8059540348e3dae8f436fadc472787e4c9f3e221f6762a29
SHA5129a6b7536ab4560eba0f9096137879a6ee3141229bf4012d53ccd02bc5d1e190172b1d227f3eab4a57785f17119c1a53f282ea83b4da1ec33d3a75a7c89bfc2a9
-
Filesize
581KB
MD547bbfac88030ac3be5bcf8da84494fa4
SHA11cdc7e8949b710fa757f625f0927c105754ec10d
SHA2569f21538c217fd1b3235b9a1809bcfadf2a877f65f4bc0101725dbd369c83384a
SHA51281fd1faac29e1230fc6c28c0e9075194e2f3bb009dfca54b4682cf351160e82ef995ab418fb35c20a4dd45bc014779a6bdd244e45beeb54d4613529749827859
-
Filesize
581KB
MD537c9bf150dd6a5d3b7fb253bf1f0fbe9
SHA19aa71a27a23f9f8a9f190eaa893d5610af41858f
SHA2566c8664b4c34f5d1c3a0b03e570664ff60e3268e0d76804f6f3b418693285cbce
SHA512d035831f06565b6284206cdb2054f1b6cbb06f6f6943592701ec35228ef292a0e11e6550b436992a3c530e211a0481acfbbe5961f5dd5974cdc2bb940d851afa
-
Filesize
717KB
MD50b44c07515f33323f7e6403acdcbeb9f
SHA133d991b242e264e4ec92ca22d4c2be8a10b9a105
SHA25632b70c3e8f24ab84ccd944a30da0bff037558b31741876d3859f603b9fcd38a1
SHA51292e1cff0a60fbcf6f37f7fb0254bdc394c81d7d88f4a962acbe6855321252529ec07d8ceb384915c4ad223fb313c2c5e8dc0e539262bf1433fb4b88fcac35513
-
Filesize
841KB
MD507cc3dbddc884f7d64384d9bb66c6330
SHA11c3806e455650c985e6d8df27db4b13956ef5a27
SHA256d8dd687e6a75bb72aabbb73819841c908410db44aa418966ca16118d15c3bb84
SHA5120dec04b5032ed5121513a8b4769955f2a89844ac39de29de76fe325914534b03e17a95f1c50d31abf4fb026d11f986ee86cabe39ae757d0e744c1a113151b8c3
-
Filesize
1020KB
MD5cf0ebd3b67b284f5671587533c97e5ce
SHA106b429b4b8e794982d607907450bad1356da80b8
SHA256e79dabec27738df54d92c3985faa8ad52bdd5eca6d9190f8a3db6f5215e9dc90
SHA51278e38dbc4d03dc1805024ecb792aa1c6655b1f010a080d0115b0eb504da665a6dc058a98725d27e65e1402d4c49872b7a3b3bc4900fae84c3ecea2c8fb752ca1
-
Filesize
581KB
MD5b4eb359a2da77a2d1c6d0af169017335
SHA14ebb57c985177d2464c10a25ba037cdbc11d3249
SHA256dc105ad0ef918ccb072564fdfca0c31e1cfff022940f2d3811157d40cbdd0b93
SHA512c799be418e2bd0fe69817997a788b71328e3fe79c53052d9aa1a099e54162c4d9d53a8d4be8e5253cd158bb0d09f49f53ad730c4539dbd5048b15419f9b82fd4
-
Filesize
581KB
MD5659a1077bfd31195b517efd8b3e5b73e
SHA1ddcd04878e9667726c91ad78bf2b1e10eb8336cc
SHA25681a091d8aeb65bd4d648a6927ca3b806302cbc4b688b3a6b5b5ac7010d7c5834
SHA512546187a69bd3db5f553f97c3cf6611360dbb7cc7d057b5c9fcebe586e5190f7b0f1b7c5d627b2acefd90d8a94e9f7225ac3152b537ae6382c456755f0f0bb12a
-
Filesize
581KB
MD55321e18ae671de78ba8b19c07224f4d0
SHA1c7600390ab4f19569d7e29d0abf2c55c3d8a625c
SHA256a1dd10c1d0e00e54accb4c1737bd60aa8a5aa13b1f7e127104c3b2f0041d4db0
SHA512a555b8a4b42b3f1911b328f0ac7cd5058605ced586ab89157b632380d0d292a1947f45913920bef44d15f5578a8022aac80473ab13cfa8665094b558764813b4
-
Filesize
581KB
MD542a93ab82a80012ae1767545f02a8487
SHA1e994fd0257c223fd1045eca0df2c6bdabc216c9a
SHA25617a04350a68de83a55033e77f0a34cc625ef7bf0012e23bcc62ef1a4cbf1cc9f
SHA512c5d039afd7461e155353889e14b630a2867c0b8c8b91d175df4f3b3a6e493674cafa15337efea7f3c45d13907d8f3744d229bc721404f37cbde5d9504c64cc99
-
Filesize
581KB
MD5b7fe8451ad25cfec867de53a13eb2b38
SHA1030f2fd44c3cc45857645a69a3824191fb326599
SHA25635702f9618f875455a7f03e8032f1e6e631ee1347004f093763779bb2ef3c223
SHA51267651f11763b8dc13bed868409a8a512fb5a17bc7345a29d3565c4e2375f67118722f18e9f6052f41e308365aa93c84800833c2093313edb3999cf9681da1c9a
-
Filesize
581KB
MD5fa2e7394a778a0c1536ff7aa04eb9625
SHA1c4a519dab046969c895dc90db89d364665696ce7
SHA256e8237e9da1cb880f786c9c7c64aef2186299994e0aa0678680b4f2ebb4d6a949
SHA512833513727949893731795b1fb831ad56678f27240f06d4d96decb5c465d08201ca42f0ed346ce83df56ddcfa26d2ff653532eb834ed89c3d4d46c69249b5320e
-
Filesize
581KB
MD5507e98063828e180afaaef3aebd613c9
SHA1cfad8208898c99efb9c88bc4679c9ed6af7393c4
SHA256b887277db58b7ce275bb391b866908e861c65330da7a7a576feb0e0d935744d0
SHA51270df43246358c8b3f5a5f9b24a53f4ecd2723f3ea2e338d74aa3bd91f2817473c319ae74b9083f8c81c11e87fbde4fba5a9fc592c6a3760bd882025d76b6cfe2
-
Filesize
701KB
MD596014aecbcaa2c4dcab729f079cba07c
SHA1d9efa3ed4366a8e25efbc5c9985de2dfa4096c59
SHA256f9165a9ec98c74e9f0b01755f0055fd739ebce97937b3793dab31eb013b98e94
SHA5126013f2d1dc124c75af318ca17bd3551d8fea44b00b7172d25fd79516ca6172aa45b2bd6ba516dfcafe2ea57dedb95be164afeb3fb190e4b9a5e24a7350e354d6
-
Filesize
588KB
MD57fd5695678893ecd6100067eb21b4de5
SHA1862a655134486e647ef736dd663e7110a583d6fc
SHA256ad138e37dad13352fcd135fc87fc2db1060c1c73c8bfc02bdd076039349a2928
SHA512c317c320fc7f155cb56fcb099dabfbbd5fb497c7d541a6d9ca1759c5c7beba23fbf83ca51442bdf63a5294cb5b0e5733720a27349c28ac7cd6b9861774a4cc34
-
Filesize
1.7MB
MD5804db3a00bad92d5e918fd786d65b134
SHA12243f05e2285c934822d2e02538460a28e9207bc
SHA256a4b354c865f9717e254f44e6e63ec5f5c4f7879b97fbebd1ad74638031dfe596
SHA51229169be68c5b873218bfb57746d46b79f747bb8ee639c2ce6cb99aa76ea354f2859c573a3c01b209adae1ae1cb01822f97a4d713abb46da7fdbe587cfc6f6bb2
-
Filesize
659KB
MD5c82f749f2a617f70cccb3c7c4bcd00d1
SHA1427900ebf2a82a92b26c175ed049238d41ef65fa
SHA2565c3c25daa78a461e045754f14ef4dc639918cb48656d9b6c58a3ab7a722220e7
SHA512e2a70d1f00cf2c6fc26e0724cd37eb201a0a47eba7c2b11a372eb1e8c3b6b98b525160c422b694404f53f6e1f2ff7b9088d3c085c625ebad18afa8aeccceb0f4
-
Filesize
1.2MB
MD5a330c03e87a1fc38a782a5b86c79caf7
SHA1ef558b5e476fc78a84d4f5ab35d95bcb1372eefe
SHA2569e6db9a9203d70bf1757e7a2a437b18a1228225c29cb908e4ae58cd6d49ac8c1
SHA5123d30b152ef0e20788a5cd0c04e84354e1d522cf0c25eeb583ca1826c61c1ed37e3ba5b7ad3119c545154e6a29d8d691e274a2e4d318beecc2382ab29b9079094
-
Filesize
578KB
MD537b18f915635762638e4a5584a2ed514
SHA1b561ee8dbfac42b6d4fa84ff6f3f0339474d0d0e
SHA2562c85c7f8197e440d6a761ebd638b0240ac4e4bbb4f778128a80275eb27cf979b
SHA512496bedc81dcffc22779cd6e659f82fbf5fd7e6c3507e143ba6ad3176d225c07f6f7043cfcfe61f6921d760f9db2e81db1d712a280e693b0c0a65b13645e98198
-
Filesize
940KB
MD5d53e3df584e1dc6e8fe72f2e5e002dbb
SHA1097ac25911b1e38f3863df1f133a313cd718808c
SHA25647a453e12ff723a95f23e3a2cf3089fc55fbb93cdad6b7513f9381821219c450
SHA512980f7e48d3e93576cec95b9a9ac751d2c9f4606370995ad9c9c7310863220fecde0329c9a95c466f5d3a643f8cbd681988080452051c496af599bf92e601e79c
-
Filesize
671KB
MD5a12dccd93380b84aedd461c130dd3d07
SHA1bc2de9d4e268af4e1816409da220d9db199840b2
SHA2560e7cdb7da63d7c8568c414b9a117d8cc4130d504df56753c94bf95010ab2ff55
SHA5121e0d6560509f8b2fa63b4365ad83f985f6da7533bda13b2dcee76196476b8cd3f20e4b679cf4960aa65952db711dadba1273ff4829a3965eb61b90e4ce0d679b
-
Filesize
1.4MB
MD5eebb26e62a57b6a38e0e6563974bcd63
SHA1fdd9f414e55654847419ab0f909740c9ea4cf2ba
SHA2566d754936d63ac1d576cb1f8515b68286ba7f04ba8ddfd89aab3ff947c8835323
SHA512276097f595d0aeaf8ad07b16669784848089cba41ca6289001c3ca958fb81c6aabc28a8a9cc28a8a5a3785e50e0ea08a2b78643192e88c4091abe3da0b496cb6
-
Filesize
1.8MB
MD5b437a6df2a5eb57f5698490db6242eea
SHA1b534ae89eb4184ae1a11983a7edc747f8f58a3a2
SHA256258eb022fee555b3185660a47bd072fdaff84a6898d241d9e731b3a46d88b97f
SHA512d2eac8c8d3e8c388ae7919658c9d59b52bab669c27ad5f3b1e3b8417d59fa86f6e5384fd03e0b549b290b0cfcef289391d24f23f5aa1a2ff20d7a648a234ab1d
-
Filesize
1.4MB
MD509960c69da8e12147dd6e6626a6f5da8
SHA1d5108eeaa15940470e225d21874b5059b23ef746
SHA256734f085e7ab083db766905fa6cb8a2c4da90129f2a35970db3720718a47a2d78
SHA5126426ca4e90d111f8f40793517e67fc5a0665a43b75940b972c6f37a03308d387dc8b632c959a753f164bdff8e06607c4be0e828d3c888b57cf5ead9ca289830a
-
Filesize
885KB
MD5ba81ba45875c56a0630a65edf6cff9e1
SHA15c7beebc5079ca3b0794ecc38f578484a28e59ff
SHA256ebb63141da40a2e6ecacb47f6c1340925e9dca60ce802ab854dedd53e7634a70
SHA512aba27523050a8564f08f5292e8773ec97598e1110d24b6ec837788597e15f0fe76922c177bbe84d8aeb0e5a1f8dacbdd37567ba1726d48afb5f01ef7c58ec93c
-
Filesize
2.0MB
MD5f9f51f1d8094a9bd1a74aa0a5c4667e3
SHA16273ae02dc9b1d0c28384048fae67b7707a3add4
SHA256347a192c2ecfab97b9b9aec53443372da7eb4f6734f4bef504cb6f17aff6b28c
SHA512b5c664ec32b37d0e69026b9e13cf4cd8a996933803116007c79cd11938391fcd35389462951574b8c6111c00f38b3ebc13ff373f704850101f71fbffa8b4b473
-
Filesize
661KB
MD5d25f5e45056cc9e7049ce6798c3e4f83
SHA1715cecd977ba3393632b9cef3160fc6a4899ce2b
SHA25682a167dc60e849efdf2cc53b657319536e5ff5da7c1036f3665b9e2f29135bd4
SHA51220cd716d9917eebd83c10a78def2f4510d3658f2cfd33bfd54e1ec6f8e2ccb583d40d52255b4516697ea1d953f2b32e72ad8a7e411008ef20fef97295f50afc4
-
Filesize
712KB
MD5665a56aad44045b65fc5f879ebf32aaf
SHA10802dc2d6031e15ad11129c0b629ace25c51431e
SHA256a30c24f362d567f0541e79bcdb16e92804aa36805ac2ff05502b9580fec817dc
SHA51241601370256106142c1d0c160c4586169b99309c7344ff3d117cc0ee40a344d34f59464181318a51933bfa1245a9a6d37eadb0adab73debfd30bd9c224f9c15a
-
Filesize
584KB
MD560853726220e2e328fde8ea41d24a03f
SHA15a7296eee3b297e50aad3587e558084f464c3682
SHA2565e2b26ddd5fecae08057da78e57ca558942c7f128254cc037d2fdfd99fb4add8
SHA5126f5f46e217dabc020ed901a1945c892aecc76be545939b8f040ce8c17247fd549f26569c059d5fb3893dd6d0d2c91341ce0b24adab526332bc12df89950f1916
-
Filesize
1.3MB
MD52e5c42c280b3e09e0fd8536e4940c9d0
SHA10629bbda354b8e7b2fdc82a368a36e66f3004240
SHA2563bd4d85e3fc7f1e0baaa00321eb4f753d37fa2c106f75dd8263ea858d9fa0382
SHA512d23dfe5c7fd22ecc4a3bc159d3b329749b45cc74f52dfed21509444103df3a3063b84f5106a67c70310208dabc92fbee913c019aaf1a34d37efdba8317857967
-
Filesize
772KB
MD55c7ff8eb41f376e7a69034512fcb4d14
SHA15e6dbe004341fdd5aefa747576f9fe51bb6ab0ea
SHA256c11fda5eacf3db293ded13d2d78f0fbca8e233ed16150fd9ffcd88dae183356b
SHA512d5fc88342fc931b1361e4dcf342191f9279588ab19b72b51670a3ae60dadb42e0c90fc760ca11f9cf3d0b561f01d74742bf8a5136b3895af749488398bb64a74
-
Filesize
2.1MB
MD516cd803483e347f4e27f1af6c0c7dad4
SHA14b2851ecc82144be1980540201ee15ab25e30d64
SHA2566e470f846be2c6bd1175c9fad1f21439a25bb6cd7d6b3d3e0f77103a2321518c
SHA512dba5a2bba0a6a3670368833c3322f4294f21afb386a50507757aa3f82ae4c4ef81e1c806b86a72c53a7f3aa12eaabd7f01f1aace05e9cfc6eea97b29e54d3a82