Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 06:56
Static task
static1
Behavioral task
behavioral1
Sample
f56dd8dc9c7fcce57527671fc06938c0N.exe
Resource
win7-20240708-en
General
-
Target
f56dd8dc9c7fcce57527671fc06938c0N.exe
-
Size
663KB
-
MD5
f56dd8dc9c7fcce57527671fc06938c0
-
SHA1
6cf4da7f0adaa0c0c5babc20db29e4bfe8345524
-
SHA256
55a12ed3afc4190ad7ff980a3a6bf873b838d65cf9b19dae0333e8aa704978f7
-
SHA512
98c0a416d38be3d141528de82eb825ea08d45fa9acccc1e1098a80a7a787441f1a69fe1c3f48c9355d246d9fd39f9869d6a63b143fb41fcc812718ca05bddb95
-
SSDEEP
12288:XoSdrFW11pUdglnybqL5tml0aTcMjN12xdUb6pSsFQHNP51lK9+Prapve43kT:X5dy11l11tmlNQ2OnBdFQtP51llPup3I
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4596 alg.exe 4064 elevation_service.exe 2692 elevation_service.exe 2440 maintenanceservice.exe 3264 OSE.EXE 4928 DiagnosticsHub.StandardCollector.Service.exe 2240 fxssvc.exe 2532 msdtc.exe 4812 PerceptionSimulationService.exe 1412 perfhost.exe 3056 locator.exe 5048 SensorDataService.exe 3432 snmptrap.exe 2548 spectrum.exe 3176 ssh-agent.exe 5036 TieringEngineService.exe 4756 AgentService.exe 2624 vds.exe 1340 vssvc.exe 4228 wbengine.exe 2232 WmiApSrv.exe 4932 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 30 IoCs
description ioc Process File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe f56dd8dc9c7fcce57527671fc06938c0N.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe f56dd8dc9c7fcce57527671fc06938c0N.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe f56dd8dc9c7fcce57527671fc06938c0N.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\58d792994521e136.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe f56dd8dc9c7fcce57527671fc06938c0N.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79125\javaws.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7z.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f56dd8dc9c7fcce57527671fc06938c0N.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006fa2e14817eeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007515164917eeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004268c74817eeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008056b44817eeda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d005c54817eeda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d2beb4817eeda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4064 elevation_service.exe 4064 elevation_service.exe 4064 elevation_service.exe 4064 elevation_service.exe 4064 elevation_service.exe 4064 elevation_service.exe 4064 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1928 f56dd8dc9c7fcce57527671fc06938c0N.exe Token: SeDebugPrivilege 4596 alg.exe Token: SeDebugPrivilege 4596 alg.exe Token: SeDebugPrivilege 4596 alg.exe Token: SeTakeOwnershipPrivilege 4064 elevation_service.exe Token: SeAuditPrivilege 2240 fxssvc.exe Token: SeRestorePrivilege 5036 TieringEngineService.exe Token: SeManageVolumePrivilege 5036 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4756 AgentService.exe Token: SeBackupPrivilege 1340 vssvc.exe Token: SeRestorePrivilege 1340 vssvc.exe Token: SeAuditPrivilege 1340 vssvc.exe Token: SeBackupPrivilege 4228 wbengine.exe Token: SeRestorePrivilege 4228 wbengine.exe Token: SeSecurityPrivilege 4228 wbengine.exe Token: 33 4932 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4932 SearchIndexer.exe Token: SeDebugPrivilege 4064 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4932 wrote to memory of 5020 4932 SearchIndexer.exe 125 PID 4932 wrote to memory of 5020 4932 SearchIndexer.exe 125 PID 4932 wrote to memory of 4980 4932 SearchIndexer.exe 126 PID 4932 wrote to memory of 4980 4932 SearchIndexer.exe 126 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f56dd8dc9c7fcce57527671fc06938c0N.exe"C:\Users\Admin\AppData\Local\Temp\f56dd8dc9c7fcce57527671fc06938c0N.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4596
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2692
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2440
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3264
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4928
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1660
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2532
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4812
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1412
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3056
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5048
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3432
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2548
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3176
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3644
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5036
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4756
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2624
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4228
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2232
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5020
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4980
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5bba8e6b2a02200d8544693fc5f3324e4
SHA12fe5e63ac82d605cabbb03e007a9348b674a5846
SHA2561e8e4f5eaf3db028ed2b5b87bb7b2113c777886b4db68040a360cf9c9669ebbb
SHA5126095010f66b2f351d632a447a425f5953d7639257dbee150c0b5182e9c1d7a91fad1ade76a2dfed9cd1fba6444788c83f93bac65de455b00a0bb71c730c6dd03
-
Filesize
789KB
MD5e2ef3c9c55fefaf8f6f9ef022457f644
SHA11d39e6fe0ad64f5a71b72edca613fc33bef80679
SHA256f67d0f8ee29aaca8a4910e44bd4f36ad84c6a0d158f581d382a196cddb7859c0
SHA51238052c1352b770a9a33cb83b23b073349c3172e8d0ccb3094cc04db8e092e9cf6d0156732b0ae250f3466f024a778e8aabafb337462aaefbb6dd737f0b8bf753
-
Filesize
1.1MB
MD5370a31579742ad4cd38cd11cf7321f7e
SHA1c2779472c9dc27d655ae978cb8c915227110741a
SHA256f3a70321552ddcf14813ade2297217747937b18f0e518674a19f75eae5501791
SHA5121a3781a2fb607b88253d4fe6407a3afac0fa7ff51a6e3139d8200c9eda297519ce085b69774cb4ddf1c2bb2852dc56022b54f9a65e89e634d50bf4f003d9bf6c
-
Filesize
1.5MB
MD585877a55ceb6aec2d9f8e1e226deac7b
SHA15c88acab3b2bf1934a69ca772a6968e60efa0164
SHA256e275d29a4622d0808dd7ee6649574552c64aad815a707afb5358fdf99479da69
SHA5121661ef2d03ca3c10d56f81073e82b4fb00cd362c084a79f8520a1fcd49dff053ddd5b75a24e99d169a6c53ec1d2ba464c5e3980f6605ecccb5c38e20c8fd1048
-
Filesize
1.2MB
MD566762a52afe8d3673e76c64926f805ff
SHA19792361b2ff279572224fa1927965fe8047b2a98
SHA256eadf153d041c5d4622ba300ce630a540d48b3f73142e936463e33a447545dba4
SHA512ea1fa970598ffcacf1876dfc7ac17e23152af0e49f885828213d0492b6372407a7c391f73786ffccb3a17bce2bfac7cbe30c828839b0617917be3b265ab58dc9
-
Filesize
582KB
MD578aab550b74debb0c0deda14b1ec3916
SHA15071c49da7ef0390fb6818d8bcc1b50fd49d39f6
SHA2569907cd3268af55c90db3720dc05bed803cb8b4972d60c9366bce369dc9d66780
SHA51202720a5d7d2f98d5106c202398626e4db5fdd5162ba689aec0e4663bf99d68cce899a7ff42a05260c3d8a7facdd6dce876ac2cc1b0985ff5367f1348d1f2ee62
-
Filesize
840KB
MD5df91bfe3ca9a727e06ef11281a068cd2
SHA1342642c8b8cffca97f923f4c13a2652f5d710d1f
SHA2566750b9296515d166c09859025ab9fb232dbc8c0050b0c96d04181f7d1fcbecac
SHA512bbb22146b25bb8174503c3c5c791ac4731269b1c8c298409873a997868c072f3192f95fd9ce33e337f91482cd214cf4edcbf0feb24930c661745fac32b033b29
-
Filesize
4.6MB
MD555706ed6a6b7d765e21fec75ebf08b9f
SHA15ce3f45a60c02e0698a57a6b611d2f1e0b5c1f7f
SHA2561143ed034dc802d1b384a8b46aa4051923f405b958d155e5e6f3ecbda1dfaf91
SHA512e0363bb4abed2cdf070f0d197f7e191478aa9ec8b7f5316d53c3428795d10c3d8c8d4a4c771c0902a1fec1eb58e1836f12a7460435a0d225d96374c4332aaf94
-
Filesize
910KB
MD5769194ab100420f96a95f8b56c8d247d
SHA17de0e83bfa3286290703b51e6202d449b86aed7e
SHA25620b06a97a37243f7d1d3bc859d335f0d0edb836ea8b8c9482c7599f37c7052d9
SHA51290794957cc2fa4d50e6938e578f28ec66cc5ded58bb2db85c176ebf6cb3454668a1f92ae2b79cbf3a80482dd4f8f461dd09c1cb1d9b4a62bdf299fff9832e13f
-
Filesize
24.0MB
MD5389fc385a3bbc7d8eccf99f72df722da
SHA16704b3f7765f5adf089549fee4a275ecec2c346a
SHA256cda7ac158c69e86ab310114215d379e0a045443c1c45611e8948cea11641fb6b
SHA51249794a2ec544c85038ceaf0304528cbbf175b7d4989c2004bd254d82062ab701841595427a588a5d7b3ddd44313e2dd5edce283a7d1bce5fa0aa2cad9b7dd122
-
Filesize
2.7MB
MD5bc115c2ad6e9fb84b9ba71149c7f4696
SHA179cd4aec16e135e0242a6aec3434e5f9636f5290
SHA25677b3f9ab3cd8f7f74ba46205fe6bf98293e73def9ea7166616c620588593333d
SHA5127195d43d3980e0eb22dba3d740ff5155aaa9adbec7f2512057baf9f4961f14e4536b2687eb531dc0890e5c81c13f5e280893bb31020d39c1414ffd229a8c00c4
-
Filesize
1.1MB
MD56e8ab6a150ab5258cb55ed49f5625058
SHA1e42ecd7f5c9f16462f7e9bd3b5cb7f9fbf6bf45a
SHA2568c80057acd8b2f5ba6aef5afd4dd931819cb0d72e80da02280f441810a128304
SHA512ed9e06a138eb8cccfa7b611c71bab6c9a88c52f316acf07f5328331c27c1268fe1d7bc622ae25d2fca6f1e1dbba1ea0598c0f8f1d7d44513a097b7d644f9ab4f
-
Filesize
805KB
MD5c1c9a13fd9eb5d822bffcb883176bec7
SHA19cb66291ab46aaaa99ee6023f8d48526392a7d36
SHA256fb330bb7fbddf565da9a48cd8e2d6b934500d738ce65dcde50816d5f412ff694
SHA512e1f81bc3d0bfd7cf907ce706134832607f0b4ec2b62f0f2efb601db1a3019f57428bb4c2c6044e51cf0371fc8c71679d6035fdda7ebc3b151709ef92672e10b3
-
Filesize
656KB
MD58c7ebb08315dd5ac715e833192a11c9d
SHA1ddc1a5a269fb332daa18e559383434c6d5e62da9
SHA2567e838143cacac29f866fdb409ef560e4b5cfb09fe0e5f473ec9b2acf1db9918b
SHA51261b6ab744fb3833bb3977e5993ed0525a92b8440871f7ee3d414d48027adb4f81d8d6f36a84adf740d5d9ad5f5c791f86d471d02f08018a3faccd0dec0c09451
-
Filesize
4.6MB
MD5cf1507b9d8344f00b6adc600627b51aa
SHA177ea9bc0b61253b8a3a68957e2fc4c173ecd79e6
SHA256a0046aa82834dcfa40a6706e909b9503aa209bf5123fca59e83bc89522a994c3
SHA5124f4d3aadeb5ef87a5b8fff218bc205986489b026e3b185814986821f4a34557ba3a1b20df86e37b110041c0f093ae9fcbcf1f6ddf6e219e0bf12936afc443c6f
-
Filesize
1.9MB
MD5a308d38e7c1723fd810b9cf7271cef87
SHA19af3c1c6ebdf098204fb13781361835e4a6b81e3
SHA25632f5563544726f3b13d3cfb1f8755cd07d9eba231ea1c08b40df4b895783e992
SHA5129d8c4f6ec07ebd133efa634daad64fdca71b9c9c4b4a2a79b16850c0b9ad9dc791cde407fc13d91269c8ec36fcfedb6dc3b11361aca1a14bb1b97fed0bb3134e
-
Filesize
2.1MB
MD5f222fde8906544cbddad87fa6b6b7e77
SHA1f043d8f54aab7cfe406f92672ba403078998e8d4
SHA256733d914dccfb26573a1473550a16ed15746051c301a379e07ab9904d1716cd9e
SHA512e3edba2c8c634589008f7a4d673ef683619dfb60d00ce4c732cb20eb7f6dfde0fa63a1836f4f942a04cb34e87a3cb48a41a7006b3ea1a267e6c59438aeff4a95
-
Filesize
1.8MB
MD59c273306c8f1d02dcd6f90750ea4736f
SHA1beeff3d73b1ee19e52ca2271a47250fff8d10cdc
SHA2568e606a7f71e0b27ae62523df85ace768ad1870545e9e5a004846ec0e6d00516e
SHA5121639be09ee4a1575028c91a9815846aac1b1deedb4cca6413b1f14583c7c6994f28cce90574e80e9d361fc1bb1232968c26cbd3c071e8bc03c20a5bee3ef154e
-
Filesize
1.6MB
MD50493d6213aa19d45b234f7b3e40f1b6e
SHA1768923ea9c8561a4287566457a7b5a8d87bfa863
SHA256a782f5715afdf5fed9855c9330874c0e83942e9a99a0289e694c1b97b7457f60
SHA51260d2dc48d6b053f8e5a8c85b19d534163d8bd06fc1bef960d6cf588ea48f2316eadd1c25dd8d3ecbddfda34113164f781b864f069bcb03971f855ae110adebc5
-
Filesize
581KB
MD5e0e45bc8d5044057a79906aac0304254
SHA132b13a4479ca9b2ed58724d382dd47e10f137f1e
SHA25672e9086dd0d7b983f2a356f51003598ab2e59e69fdccb0ba024c43321c04db46
SHA5126b372827f84e061c231386bdb74bdb1e4fac8d3b2715508aff92cfaf5451e5c70d549a2815494a8cdd1cf05ee772bd00b21a29b63889191e78e0482e9f3cbc32
-
Filesize
581KB
MD5b2c8640f9c08ef32823a912c2ade03c4
SHA1ae681f5aae8aa63fa82957e8acea561284303625
SHA2569e14fe944da2e4ed2b27e55b01702cdba81c676b4a73a1d2eb84d7d3d517915d
SHA512c8bf069050f159a180f70f05e41bd9e286a93b2efad9ae177ad08d3c5b8cd01fd6c9336afecdae80f5dae6005c57a5e5a0898cf3a2b9cb4ef7fe5be4febbaba1
-
Filesize
581KB
MD551b3bc68190b0b08ce56b14065ff8f25
SHA1861af79659ba4cb42dc60b93a26391720f9cf904
SHA256267b8c17000227563967493e8d49187fb04e4bf332f904972b7280b560e0517d
SHA51255c282c11e26fedf422874a639232643debcbf2d5ad8645f378bc8d62b2bb9d06e6af3c075bcba86c549724b713a7c421f9a5d3f32b88be11148adec2cfce9e4
-
Filesize
601KB
MD5e35f3bcce826c9143cb2f531fae776a9
SHA102d86702c812fcf193f50428a358500204a21b00
SHA2560e482a60996009559fa88ba3bad10e4f79a836a6f4cdf7fe91761b0f0cff5243
SHA512a9748a992644b1336b1ce3bd0c644838857a95eac0f38c6fc2d9d9221d3d9dcc5ef2e6361e4fe52e178f4d65da75e31fe3533668d3fe48d1df1e18849f242cd5
-
Filesize
581KB
MD556a9d9c8252f81dea74860208c4370c9
SHA1ca1db08b57e0527dabb2bc34d2e03ddc3ed8586f
SHA2566683172c350199de0a29096c3b72c976c0805b2ce7ca5765e8f3ea61f294318f
SHA512bb0f4df7043d0f39bc4f904320f6a033ad8e7c6a06740740d522ba450583f081c03e86094182b686f30abe3d293911a7548c60949891c9f4ed4bf1a54107f32c
-
Filesize
581KB
MD50b185008077d77f45d5f1899bf85f4a3
SHA139e0bd0e2abd16645b59813363e3493f4825cb19
SHA256d14100d929477f5d4227da75c60332146415e27ea9dfba50e593645a948db223
SHA5125fa724f8bc706f2aae7fc8996f8329b6607058b1ed5e0e881175422c0ca3cab43dd2092890db8e63d4bae115df900508e627c5dc18ae22e12e4ea252b1c8db5f
-
Filesize
581KB
MD55259beb846525e71b85b5daa68fcd323
SHA1b10ffd4c598ec761ca34e99cdd948e3e6392f283
SHA256c166c7a44b00fe0da304871761cd8820639ae854da61730730272c1f5ea84458
SHA5122759ef8dfc8e2c4460c73f1568dab5537978b746c3b5fae2b352d98fbdf9ef815e6b8cd0d4741cf82f1aeea572f807fece3f83bea215393efa66d2d714ae936e
-
Filesize
841KB
MD5ad4a499ac66a6abd1e6606cc93354c9c
SHA1c0820eb2aa37c782b6545d298be031d9302a43df
SHA256963f71f78b60d89e5d05388d2111f0105b24dd4d4b6a2af41e37a1aad77aa027
SHA512d495d16c45de9e88686e59c05deab657e65b23cbbda9ee44d7937027ae58e78fe57db16699467a0596040df4062b41cc76ad2bf3b5a427595a4f056346dad19e
-
Filesize
581KB
MD5ce972b18b51245807cabe495a40d8123
SHA1ebb5313bb82a62b79ed54edf8100bbadb43cf80b
SHA256fe8e184e5ee49c9a7abfe3f842e98280e4f8aa067cdafc460a17e0e4ad2c6847
SHA512b8f07a52044cb4383d92b467e9d35474b75dafdcd49df41f97bdff6ec21ef99cbef9b08c91914ff821a458367132195123551292c673727c63aa828e6cf61d1d
-
Filesize
581KB
MD53e212db9b81ae2195c400a7d740e4b9b
SHA118adc51481ee1b3e6f6ff889cd25039d591a2d3f
SHA2569c3844bdee45da852a5eedb73a2fb0098f7a70c7b3b16b4ca1abcdcf4f848a57
SHA512ffb2ef4ab2fe06b7fed98f2eece5e4d70979ef13512ef3e98390c885d5a638458b3f933fa3ed9cfbc7e7be6bb9feca1353b52d229a1be22304e2d217f176edd2
-
Filesize
717KB
MD5a3a87ddf0db38a23668ada7c52c56567
SHA129095dfd1334de73f4507ec4c87b87bd14097c18
SHA25606312b71bde049fced6f351fbb0703a9710d21ecb4b604434e90e79e816b73a4
SHA51240af33b9dcf5eb043f6a5853333fc6b36773a687002c22b4cc726fd639c80082cb905baf749675419f3d6c6b02d16361efd713328765d580b5cca1e7c52472c0
-
Filesize
581KB
MD5996482819d26d7f4a0bab6fdb42270f3
SHA1827d47449d680322a5a5bc7cd76bf21724a47e3c
SHA256ce480d28b1fa84e7b7140a9bd49faf62026d6d921d58b9811e32400c0da61508
SHA512e15bafa4e021dc710fd2371f2c8a46e7fb7f344c2843733f2573c3cf47d6a91b81758b9d62eec4a9df5266ec74bbb0ac2e7c9aae413f02025f668fa5791d88a8
-
Filesize
581KB
MD5bf2574a5197d01e69e80e86a5408d20e
SHA1a2ce026bfb8dc9e45b78556a6918cee9f28d219a
SHA256511bac1350c183a01ef17a58843c397f8dc9813c758925b42fdcd1d04dddb779
SHA512edededf3431f073a6d0044399a2bab26337ced0ff46b758e894daa6f5915dcecc6e8f8a0e39b445ef4ef97d1696af817e295c487db1cc1bbbf4d394ac4f9f0c1
-
Filesize
717KB
MD5236002b1d63fc6e587aa55d3652c256c
SHA1e4605ac7e5f0b71f63f0d339fdcad87dd291af54
SHA2567fd85ec196674dc76954b6993a3a88cbf86102ea5a088c31b4c82a015798510d
SHA512503eac4780e8c16d15d3c6d61687470d353cb3e6bd7df95c21e37232c0537f47814af92230fbaac4bc14e54fa14fb4f4a8fdda482e413ee791904b4d76578aec
-
Filesize
841KB
MD5817c7bde53b0237abd8712c3f8c6c321
SHA17f6f25ea38ffdc622d538da5aaa03a2360cd2d9d
SHA25601fbd4d34002bb169280b1f4c0c73139570e57ed5c30e45fdb7bc8c1a93300b5
SHA512add98804128aff0637d696e7b574d339759b5c5403991055d8923a9f35f0c63595b1f2de6a582ba8f4584f244a790ebf16b72b24657193b010b2c6241bdc6865
-
Filesize
1020KB
MD5e8fe4e3719a6c85737923c8351b3b7d2
SHA12d87a9fb9a9cf4b11f0e6abb30d9670b69832ce3
SHA2563b3cb4d38323a206bbba48297566281fbef248066eafb9a3e3937d43c5f47a4c
SHA512a7a1b88746412d621d6a7a90288e47aeae47ccd63b1610ab2bdd66ac7abab2a437b09f2374baaa724681949e0af91b18d777e20c870f3ac5f5f27442cd81d11a
-
Filesize
581KB
MD5616348e206210deb849849923cad460c
SHA1e7994e7e6655920de16b7f5dd1791dd5598e7469
SHA2564120eff1879d9d68a10e15dfb3a501c4e331e4923e507313dfa0a650b4904a63
SHA51288a5db2d29b39346f247cd041a299727bcb5f283adc651cacc2febc5b2554b6ce600889ab5ea0b89e5c31be2d3d5106f0688bc37f8d5c4154d31abba1cb66cc6
-
Filesize
581KB
MD50c662793b7c424dadfa59a28c72919fc
SHA1ed3f9eb4d3a99b20b5663b93f4ae3a212d4890ae
SHA2562eb3458e652e2a7249f1de66cc88404587a2d3fb6efb1e9b196dcde91909758b
SHA512410801bdb362ba7c8b2608b69434a90d717834c985acf28101e4af0a6d4647966c68bf6c5d024ea78750c7225a73ce9637cece1a1e55dcbce12860d95af1b5e4
-
Filesize
581KB
MD5097d091513401cf4e7d2360e08797c0d
SHA1cef28d85423180fd914dc2da879064173274965a
SHA25640524b13800946cfae69d66c6bd69820431853e342473183360997fb4a26aa94
SHA51261f280ebb32829e4db3aca73675657598883570ba6a0a637f8a0d9f746893e6d567ac2be33e23f0fc6961fbfc4b9ef03dc8f9968722b6bf9121262334ddbb74d
-
Filesize
581KB
MD506854c4a1d022609d7cc9c3e84bbd684
SHA1e9cb6b18b3f283607d014425308bbdc65015d092
SHA256cc6dcb0476b3ce77565f68ff14a636b0379ff19ff1d58cec54c18a566a48a942
SHA512a16141990cdb752d759d3dc04e12e66dfa37430979dd8e337f30248e55ae37fee9ffab918d1dc26006c708a6b7d2bdce7173a67a8903120fdcf929254a7714fa
-
Filesize
581KB
MD5e1d9c17ef1c8609bec8d02cd3aa172c6
SHA197dc0acd7056edcb1f733207dee5cfcd92716b54
SHA256a61461145e4ea489cb16abcfd601114fe86d36aa084e08945fe71bec33709f5c
SHA51269a52d634616d3bc4fa9979a18c3c9bf361476bbb02ab091ba67f3ee24c926a460fa2973531ee014ce627ad3644de1b5002d03ea71353f13d788c9f47763d3ba
-
Filesize
581KB
MD5984f05dd7498bc1a029275ecd39955ba
SHA152c1922ef9de69afbfe404b472a9066ba68be765
SHA2563e19b28a0114bd5b2f8d6e1e4e0856310a5e6ca8c9752fdeac22750ac4c10fc6
SHA5123adaa953639da03556e51e5fad0d175e832e1037d9fdbc217ca6c5f46459513de6cb9621dca7be121ebd9090827e7e954ca25ab6cbeb9ca7c618bfae97642d68
-
Filesize
701KB
MD5e8342a704c1261ae89edb9f8d872302c
SHA1103fb89bc71f794c465c2efdb69e8f441f8e87c6
SHA256a6b13338bcc2a01ba37f5d2cbff04a66692dd38f34e17f1840fcc0bbaaab93df
SHA512dd4d287764ba34cbddf087f802cf45cf81f5015ff07b50b0e5b220b8725e0005bd653e304e250a43b954cdf555e32c581088535cf88b14d3f39966b6c0ca50ca
-
Filesize
588KB
MD5686768e6c3e3c439b72d9069c123aaea
SHA11b2d22eae9c284a22508e457c0c669476b3fb22a
SHA256671b294071d546f2fa37ceca58c0b8b2a64114757777506951887a23a14d3eab
SHA51262187e47806c616bf290e95a42fe7e2ad268676a0582958e75852d021a45fe8ba12d6145373b0123be5ec7e421d9414fe6f323270828a1bf68c69827bff78af3
-
Filesize
1.7MB
MD5415a73bae0cc89edfd2d5fa90b3d5d8b
SHA1ca9c68b577d2a3623f29696c06581a0c9edc9499
SHA2568bccd0ef11ee3f51085243aac22b39ffc84e1659504225b742f1d26addae514b
SHA5125298d16f980c19f6b0e64fab7770781600d9c65ed4eca234f6caa9bc2335ef04d2556c4cd74ba7fd70c979b83e665760e39d4269e39e2e4f5c08163d38ec7f85
-
Filesize
659KB
MD5fb5739d929d9ca745c0169f3379ef6ee
SHA121e8f4beed275e5ad04194c77218a84af1dbf2fd
SHA256c8ca074f8b78030f321565a0187a44646db9efb2397615a80bbbb173e4e0d9f6
SHA51277404dad9ed4bcb2f95a00d4c0f4e06ec5899310b46b329a36683c72cda11fed459ad139d506254d6a8ccfe6b2a5aef42f48e5ae0aed0c986e66d1c345984e91
-
Filesize
1.2MB
MD52a97bfeb57cf44e63c01c0cd6a35517c
SHA1f557515a4229480cf7378f202ce7d9bc2b3d7a11
SHA256bbdb95211449a00e61e803e9f704d9a81e20810bb4899e42ee898181baa1ce78
SHA512b0a1ce29de3f3c3a63d7c38f498d7f0a6ba4d0d35d067c7293dfac56a048bd7eb5736d1ca119ea401f47a212bbb7c85e0a2d19ffecb025e3b29716c378913526
-
Filesize
578KB
MD51c6363fc00d728114b9044566b1e22ec
SHA1426edb1d7496c886c7d10f9a1d1cc597a553c1e7
SHA2568287c9725f18271e691662c369d6085f05d9643df3b4710618ce77621cf297d2
SHA51213bc004d5530d2182de5ea90b57eacfb7ad13478bba68993ad47b3aefcc8069c98e40534720967c473ac622bf1247815906937a7eeceaf3ebe81ededca8822c7
-
Filesize
940KB
MD54711c361965ccecc84172a7f794d112e
SHA18ccf48e432f110534df103a191d09536b6171a2d
SHA25666a0e61ef90f4bdfba54fa2840e8ba86533e958c3fb1091fd7ae7ef37cfb0cd4
SHA5126e64b24a47136cead5ec268c7613f089ae07f362c425484b724306979cf4637f7dc30861fc721633ea70f5387d161c32dfb9c336d3bd7b9341de91b58a140823
-
Filesize
671KB
MD5e24c379a3b3db5ba4d4dd3f3ba87cd59
SHA1d9c95de45520fb344733fbfbe4ee1626760afa9e
SHA25688d736a045101b75b5230cd48b8995bfb9d2d6118e958e81486c032fd16b6f2e
SHA512c2a9be5defa5802bd5f338561b15181aa5f9a40d66911a70fc3242145a068db6eda407470d2085bd0568dee877e1b798a68d590df585104f375acc2fd676be45
-
Filesize
1.4MB
MD5e9f1f9abc901e626e19c263d07186ce6
SHA1139ae53ec15d7053e4fa0561ee5783b1e24dde50
SHA2568966b02d5d162e4ecb9b9d02c3499d25a8436a70685d5b069c9a218beff00f3c
SHA5129dda09d68dc9abd9beca9eaa6308148536e31fb1e256b28a139d9be96ae20b4f915af0cfd9664b06aa57508816043a593b09b427dcbe9a75b7a0fb97b4509304
-
Filesize
1.8MB
MD5468c04a40bc87dc13c36ef1f449a6c36
SHA1d6bb26478122c853531358d0fac7ad74993e1324
SHA256bf29623f3a663ea397fd5c3ca19b0c659f2d7965e6a0877650ad48af628b3ac3
SHA512cd3cdcb7016f928ebdbf6f4dff48bc6d81a830938b10cbca5ee7029b0548d120474497be60de89c581011c0b9e42754c6792ed0978d4c9b59dc8dffa112ee835
-
Filesize
1.4MB
MD58e8463fc11df0ec7a9c3279ea0ff41c1
SHA17d23df672353d8f9a5de741fb78ffe660ba3bb8d
SHA2562930b868b2bdc12e06b9d304cb25cd74f83e4fc2ac869a471506a4276f5c6aa9
SHA512489c5e2faddef3e0bbc15c71c4042cad0104a7d2cef55279580b339c8dc4fa6df441315bbf95eefe538786e10ae36c2ed1064ae365fa6020cb14a904cc5200c8
-
Filesize
885KB
MD5116023f41c7f9c3f7be5bee64bde58f6
SHA1c4b52eb73765a54ab073272c22bc2d50b4d3f2ad
SHA2569248b9cab1770557b52972c3ad249433d911ac27f9c55af307b21792d9f78976
SHA5128cc41f60abaea00a7c7633b4f53cf9c36ea595bf83e78e00dfd1567f2ce997a36bd8d8fad2a880cd846b32ff647506b0123c689197b4181a6f9953572051dbdc
-
Filesize
2.0MB
MD59c9536bf4ae3a0d5f2095d0381744922
SHA1c0f8f0e3f45249327fdba65e2eaed8d80a3d4c3a
SHA25650ba2789ea07597f8493ac1edcd5738193e0fd2633b156a9c01aa577462e9e02
SHA5128881878a663045899d15a46a56dfd37d420453affc6f865b92f58ba3d22bdd05c14c404d352e0e4e9ab466bf66abc5d9e7f3aef17e656363f48eb5fff5263472
-
Filesize
661KB
MD591e417e20148e2d7007699580ce43633
SHA1baa2d11b04ed6e7d056dd7e7b0a117a7e95f8e28
SHA2568019f38a44a0a87739ef9579f48fb7fa2a6d183ee4bb02ae3f910b41637997bb
SHA51212dc82edfa181965fa70431d3ad2bd488f1d450fde2a04170bacba1c555c855b3cf2812b3574f1475f709edb79e78ad1771b91db4b2d9aa2d2cbd73146e27cc5
-
Filesize
712KB
MD536ff338a87b0ab6037a33ab115b612b5
SHA137651fc1d89359bef1bc4812ea62289b4d4a0b48
SHA256f3eb54fff0f29538bb69b713a97c81a5384b3da5d217e116746ebad047d5256c
SHA512576fa0dbe828e0b190aa46f94335f8c4cd8e706cc1cdfead3c4cbc3c4d6cc7086e8f8b3e817f7cffc9ccc54792c2f8361acedea2788381edd66329462166e1f1
-
Filesize
584KB
MD54c426b537c3b0c19567227442b31253e
SHA13c4c4894d83f4456c66e2781557ed4075129d42e
SHA2560e2281c97dfbe28a4d2d70da11c28ef68b2ed2db14b98146ddf1616658596760
SHA5124022be9f343c72a76da5c3d23a4c22d891f1904d5f30f79c89b7d1c6b5944012ad42a0741576f71656990dbba956b9a9272637ebfca544870028c2d921a535b2
-
Filesize
1.3MB
MD51194717e43ca8e9e8dca170a4ea03984
SHA19a1cc5c1095c02b4ffab8adf6dd1faa33780229f
SHA25661971f97c9509433c86a506d942da29071b21e4c5f69672fce0c72cdc2f6ac3a
SHA512f3465c9c194f8db6b1132391cca282a988a1c0f3b5bfd2802deb4386caf8c6dacc1f639facca844146f03373906b3d955a992d83a92e4ff63ed3dd78c9e4bbb2
-
Filesize
772KB
MD512af20912b3d7b6d0537ffa50886402b
SHA11cdaaad9f9d8c61a349ca656bbf25a50e787d93e
SHA2565724d7a7bb49b3c6d9613008d38c1e3baef2cdca1eff914854b6df6f3c2a9969
SHA5125d0126e1923af7baef38d0834a2cace33fab8a790d24b941fb64f8da1bf635318fd1babaffcd394605514df7c9cadb6242878d8113ca206508890aa7144e3d10
-
Filesize
2.1MB
MD54f53af3513b915319a27646b0c584f3b
SHA15bfd44d5081a9b2d215e3b834ddcf4e0a6955961
SHA256292dd6d281ab21805374a5db373bae3e45da58cbd0345320b8d77349b5f3232a
SHA51213380f92bd5cb0849e80a48b04de770fd97a033da3752a26b352a873662be7680ff1b16a2aff97fe3da444e604c2cbea2853502d8fc574b339d0b7c0835d6571
-
Filesize
1.3MB
MD5321a6e565890cc8f457cd3999b877a91
SHA190340686ddec556342d5a6cbf5714787d06e3572
SHA2565f8b5c6b41a53a62e80002c9d2f6dc7949b7a6024fd2ccca7ed477cb3ec360bd
SHA51269fde3134cb3e0b075897eea3a9ab67b178a5c51388ae5d50aceca8c9f02c4aa8c9367e97054714f5dc34f12f5b852c4cc7e082acacba86136340b403ef004c2