Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 16:09
Static task
static1
Behavioral task
behavioral1
Sample
6f74652d09ccfabbc005441c2df301da52bd971ddbbccdf92ed044fbc2d2293cN.exe
Resource
win7-20241010-en
General
-
Target
6f74652d09ccfabbc005441c2df301da52bd971ddbbccdf92ed044fbc2d2293cN.exe
-
Size
1.3MB
-
MD5
460a8bea4ab39a7d8b5403612bf888f0
-
SHA1
14cff03fbdf6a1cde9316823bbad6c4777711c13
-
SHA256
6f74652d09ccfabbc005441c2df301da52bd971ddbbccdf92ed044fbc2d2293c
-
SHA512
72a4becc2cf9c65248ef4823dc41c15b98b76e93edfd895e95803318bd819ff5729b00d4ecff9b484aab758ae97de5df6bf72b09ce7ae85060fc941d3d700918
-
SSDEEP
24576:gIs0Mc/rGArWs6zt2x814qEiNzBdkoMBN:FJzjQ2RwctBN
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 216 alg.exe 3096 elevation_service.exe 3456 elevation_service.exe 3960 maintenanceservice.exe 1920 OSE.EXE 3212 DiagnosticsHub.StandardCollector.Service.exe 2288 fxssvc.exe 4696 msdtc.exe 4244 PerceptionSimulationService.exe 4828 perfhost.exe 2584 locator.exe 4660 SensorDataService.exe 1344 snmptrap.exe 3336 spectrum.exe 2444 ssh-agent.exe 1400 TieringEngineService.exe 4760 AgentService.exe 392 vds.exe 3732 vssvc.exe 4388 wbengine.exe 3080 WmiApSrv.exe 2216 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\5b4a9cfa99262766.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 6f74652d09ccfabbc005441c2df301da52bd971ddbbccdf92ed044fbc2d2293cN.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\javaw.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\javaw.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038c378d58a28db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fff60ed68a28db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac5f95d58a28db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cfd92ed58a28db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc877dd58a28db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000908d5ed58a28db01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3096 elevation_service.exe 3096 elevation_service.exe 3096 elevation_service.exe 3096 elevation_service.exe 3096 elevation_service.exe 3096 elevation_service.exe 3096 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2020 6f74652d09ccfabbc005441c2df301da52bd971ddbbccdf92ed044fbc2d2293cN.exe Token: SeDebugPrivilege 216 alg.exe Token: SeDebugPrivilege 216 alg.exe Token: SeDebugPrivilege 216 alg.exe Token: SeTakeOwnershipPrivilege 3096 elevation_service.exe Token: SeAuditPrivilege 2288 fxssvc.exe Token: SeRestorePrivilege 1400 TieringEngineService.exe Token: SeManageVolumePrivilege 1400 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4760 AgentService.exe Token: SeBackupPrivilege 3732 vssvc.exe Token: SeRestorePrivilege 3732 vssvc.exe Token: SeAuditPrivilege 3732 vssvc.exe Token: SeBackupPrivilege 4388 wbengine.exe Token: SeRestorePrivilege 4388 wbengine.exe Token: SeSecurityPrivilege 4388 wbengine.exe Token: 33 2216 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2216 SearchIndexer.exe Token: SeDebugPrivilege 3096 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2216 wrote to memory of 4528 2216 SearchIndexer.exe 125 PID 2216 wrote to memory of 4528 2216 SearchIndexer.exe 125 PID 2216 wrote to memory of 2384 2216 SearchIndexer.exe 126 PID 2216 wrote to memory of 2384 2216 SearchIndexer.exe 126 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f74652d09ccfabbc005441c2df301da52bd971ddbbccdf92ed044fbc2d2293cN.exe"C:\Users\Admin\AppData\Local\Temp\6f74652d09ccfabbc005441c2df301da52bd971ddbbccdf92ed044fbc2d2293cN.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:216
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3096
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3456
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3960
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1920
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3212
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4004
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4696
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4244
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4828
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2584
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4660
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1344
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3336
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2444
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1524
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4760
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:392
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3732
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3080
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4528
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
- Modifies data under HKEY_USERS
PID:2384
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5a56ee52ddd9249f731f4f459b277bd9e
SHA1a587eaeb2bf8f8d7ed61c9d6616d48343195f317
SHA256ee92b8d7d2df0fe21f4a98ffe94b7a329dfe01be53519794d98bb395e4ac88f5
SHA512c718632810e9aa9e4011ab8b5d05343a41bf2fb3dba091590d76747ca2a8a517dc60ce7da07fe7414b6e1c82e57f8813547b3b3479f4490da4ba19bc33a2e110
-
Filesize
1.4MB
MD5a74bced2da1466f423d680c3cb6dc780
SHA1d9da225d206c090694fcbea0b79c8869f119a051
SHA25677da49a90893ec14c0f999e41f3f72569dc8b7c7cf6a8ab5d831cb8e941af501
SHA5125190232956dc26d3735e10fc7497d59b1920e9a2d83fe33f07185e9598d557fab3dba2fc1d26015b9dc642fe8801c1817c8b2e5e8a25aa23766bbca1fa4803fa
-
Filesize
1.7MB
MD5231d9277efce0f9691816200683e1257
SHA1a5be154deb3a82cf61f0d539d912fc5b60e852cf
SHA256d361f0f3957f65f2d796686a811ad4b0fa8c33adbf4a74cd2203b1a8a15cf50e
SHA51211789978112c059d3a1470255dc4bd42d4806e3b6bfe91b7fda60ff3156f8053baa0e8936ceaab3200fcdd9438f54c2f005883597776cfbea1889eae902cdf07
-
Filesize
1.5MB
MD584470326d80b9bfb3fa3034c89150172
SHA1e733067fcdb5b03742d7f2e5ec30908f3708c428
SHA25614c5c80c01fa56a80b4cdd670ae9843035502bd3119adb5b98b7a295ed714ffd
SHA51201682f611ede398f86e7bfbb75026e09e4ebda99bfc55310c5ce7253acf5d54b6a988678deaea8dc8e76daff19e8b5ec8bc0469b6990d5a234ba60da2ae6d04b
-
Filesize
1.2MB
MD5f7a78d1270ba0334f05f01a61e618669
SHA10e06a22990a6b4110e0f31ccdf33e9647dc80af7
SHA25619758e0e734dcef33d259f50c1bf89452e613efa4f9ffc0484341cf1477a7535
SHA5122e4a071f81c43c5c8700e43fd1cd87eb65e620835849e944558c993b72620f47361e40506c2ea57694f37a695256fd70b9dc87967c4803962338138db7218e5a
-
Filesize
1.2MB
MD5fd201789a423112410710a70d41da428
SHA16689b9cb95b85e6eabc9601b612bef3d171d30b9
SHA2563ab75bf6ceb478a7646b9b576a940948e966cd6a6f4f8a0eafa7c6afce88a193
SHA5129a95b01695efdcdb8f0308c17aa0510f6f0ffc03cc56072a96db46becef76a2f75c8074116f0a702f0e5bd3e1d4c2403f6c799c3e816cdbf6add29fe87058a55
-
Filesize
1.4MB
MD5049e67fd1c41b19d8502076d8f4e9ecc
SHA1ca3782ccf46e6ecf912978be014c477ca30dcbfc
SHA2563a647f0f0314109ac1403e02b25050ca9c0c1af17333e0cd7746ce9d44ceba42
SHA51218d2989bdd4d74022fd3823d14f77062271819da4ca2d3c7f58238491b8912e184a7ad456ca28caccb1d777b02c874d2df25f18cd4c90e4874da18b450ba39e7
-
Filesize
4.6MB
MD5228d8cac8a46bc93baad1e06bf749cd4
SHA1a6a42aa331eddcb62d856a390ad31348a4b48106
SHA2565ac876e9247d763f08ba267ff46fad2a9c2c9f4060051d3012bd254617faea1d
SHA512f5058171cb7faba876be1dbbea5eb8d2a50f0b5dbcc68c20255b261f71c608883ce025bccd13d19e9e9f84450aa795edab79b2a3137ccd25b3bebc9ccb4906a8
-
Filesize
1.5MB
MD541b688b0fc47cb8d1fcf322ee18891cd
SHA143798cbb27c953681aa6b800857182afc670357d
SHA25649d129965e38bf81bcd7d0ee24a12bdf0ea5c8ce571319168bfbe93cf1aaaf46
SHA512fef0571091ed93726931deb24e82d7f8f6a6ce8c823a7f505c22dc8f32a13c586d6353667a70ff8566d87c7fd6983c38fb7cec2b13390a9e36bfc8a2e203eaf7
-
Filesize
24.0MB
MD5f3a1f1776dabe89e9e636e6bd2853897
SHA12d5804476eacff12ccd0fb5d76171c592555a4d7
SHA256422920af46b810e37a3de1050db17883083cf9e6585a354acfffd563d361e9a7
SHA5127c8bb62ace086dbb1f3f21ba32892adb2dcd21850db4691bdbd80b06ffd9d71ed27574142357e6f5ce494a1086f94f872d48b775b20b9eaadad1d2edabe06509
-
Filesize
2.7MB
MD52f5bc5ad8a21551308c04a0ceffb2c86
SHA1ffbd27086b6b5ee2c6af695751cf3930f16f4e98
SHA256babe7bd02605677293ab757b3d92654a04338be8e146f019ddf693034cbca4c9
SHA512b143c1448085131a40019fbfae90b23fe639a48b5b83300e363580161433826858b6a171769b9665aa7bc728c689646bef7ce623f4f299ba96b510a6cb584b15
-
Filesize
1.1MB
MD57be75b914c28681390ea404596627c0c
SHA19e48b7cec76fd03fcca2a0eb6afc846a1d936cbe
SHA256ba058916af50fbf39d8b7bf74b77a0e37278cea74c46df415efa5e3ae2f3afa4
SHA5121e0bf1e17b014028cb1d205ecf5353f87cca58270fc2e7305da9bc4099f502ef15f4adfc922b5736029078a05108be903df11644beb5aad231db544a2d4c7cfb
-
Filesize
1.4MB
MD5a873e4ae89f96733d8423a83ab1fa21b
SHA1b50b0e2a8101ca34513000fa2696e96a6a4dcb7a
SHA2562503dba28713639a735eb7adacef5ba7fad0688fce25cad328c1a22d3864216b
SHA5128b61f7a31a11402a676918517b867528878d0a37e01fa5bdf1683424f92aeda609534fbbd836bafebc8570ef2f291da6a83fb0f577b7a7477c71299c376e0a91
-
Filesize
1.3MB
MD5d4a22aa77d0ada2d153ac8519f24c24c
SHA1ee394b41443b6ba7b3ecd7b4c012c96210e939b3
SHA256fd4244a498f0efe32a8ada83e62bfad2f9a94470ec2e98c832ab07e26ca6ca0c
SHA5127d913ee7ca4b148d96343c1fadad14a3db2a332dfec31d277602d1bdbd818836d0961a21d1096b66b07f8d399d493f991fb1e9c273cd03d079d801197e7c94c3
-
Filesize
4.6MB
MD5fb8bc8b089bf3657b0027789d0b5da5a
SHA121e235858818d6c707af8d94e9821cb05ad655bf
SHA2567e615624746df1dd0d876be7e1d82698fa24e4e7b5343de9042406bd222c36b8
SHA512a89652e9dad038587ecf356ed4aeb5700c6a5139c5dfcdd85c32d29d943bfe3055ff3eafcf82b21108fef33c8e88f0dee22d29516dd43611071810aa6ddb3a55
-
Filesize
4.6MB
MD574939be17f328094031e27fa9e0e0626
SHA1e69166a4bc4c5a1822788c7d81dfdb480708bfbd
SHA2564ae105550cff0db703d7b32fc05442870514381c9790f0987861834d8807cc66
SHA512d5a9fc624321726045c4c39ec654999a4faae25394693e2500805b1be2b842e55ffd52220bc36203e07b6c21eef46ae98b0dc2bc3d8c2b831d2aaf273ad47eb6
-
Filesize
1.9MB
MD577d77698271b066d1e8301482deb1559
SHA1b13ba3b93e960ca03ace2b23a9280c9c67de1f86
SHA2564175bbf12f2f985e53bbed1b6eed0b7850a222f357a689f1f03119e9cf614b8f
SHA512ddc7473706004207f8da145eda16e98ac6a9272ba942a0a3096ad4faa168065b13d5b5b410de19b1394a0a617aed42fa2e6647fc799a767da48b27fb454acb20
-
Filesize
2.1MB
MD5244d67d2304aae91fb0addf5f4fc53da
SHA12c7e476fac85c80f3f9111202ba299f301ac9dae
SHA2561b2a14bf19a4ca1a8350d3e956d9db3a7d3d011ff3accb280df1e108f1734c79
SHA512431d5e226e3f01a08d0955be39f77455875aed5034945da3844923f9a77c48ecf367a23aad7a7a483f157293fc0b1d1b4d78fadc9220a428de8a92c57ebafb4d
-
Filesize
1.8MB
MD58e3cf1f7ec29fbf5d25b5fa8902c031f
SHA16b3344cdb493772788beda07f27dedd4898b79f4
SHA256da0f3394ef370a26be13b0f3348591b28f6059766c8cadf7a1e9e40e4a0af598
SHA512792353b20edf9a50c592754f345899071856ec4ebc45f224f9e335ee0412f663292e044447ef96c3811bb87819fcdf6515de0b0712fdd9ea5144dd829cb0e333
-
Filesize
1.6MB
MD5efeaf4f0f532739a9abc61c8c0184188
SHA1533705c682154f45ffcb8735f9a6abb0e6a5b0d6
SHA25639318b16cd0cff8d704ff9b0c790a119d4ce813ff75c818915af25fe0e19823c
SHA512919b8ed19c3c7f15f845425e5dfacc5a2a59a603cf6147f97f520d9074f9e8cb10cc46eb4060007020339df4f0394a89c85872db78e4957b1dad93764302ee8d
-
Filesize
1.2MB
MD5c6a7e0a3524cfd9187d78cfb46f45308
SHA115c36d48d243b5c2b2674dbaee77bdaf0a442b2b
SHA256204a8402cd564bcf7b5c491560ae033253ba228a1c6d3b3360166c06aeb7255a
SHA5120b4855e38d898028c4a60b3d95c6bb85dc557a0b0cc29735a17a66baed3f17edff7fa44f456b284cef1a5a56e40bd45053a246178943bbdbe3c7a556f0fc9e4b
-
Filesize
1.2MB
MD539ede187c85c0b25e346847d32b37ec2
SHA12dce7a9a5d648d16dd3ddffab8f2572babd89d21
SHA256d9b1c31a12b1b428f8866b44d60b6e05d346678e87a104104369caedd2045f18
SHA512dde6e52d6c9306d16aa06748ffb79ba7cfd2d087694f298c4afe141c591faf88829a6d3175bc828e9e4a7c84ed32382f1b5b53c53cedac1d33d4e8829ea5a611
-
Filesize
1.2MB
MD54e7e3f98264d80f4de4e59b6a74e4a25
SHA155aa88a21c440af1837cd73a8660526bebcdde93
SHA256a8e63b3a53172537018a5a5e65b745ded6aa2b3eafb63a7b5d826f7f03112342
SHA512ad9056d4e562416fd815959ae9ac994b24d01227c6398238613ee16187a7c6a742beade8d422b8942f28e53f3bba81dc33b6bc04a04cb0ad5f51e843c3b335d2
-
Filesize
1.2MB
MD5a28b736a0c276a37beb428898ecbd412
SHA197a43ae30becedd8e411008eed5913d475b2721b
SHA256d6a6c2df5b40cb5226cb7baa8bc36141ae00e45ac55626abdfe0f32ad160e3b6
SHA512784370ae98a581920a06466d3a2daa2ba07f2932c989eaeb63282b978d5bb6e1b90f492e722136e03927006f700c385ad1ad0de53aef57aa87917fcd321809b5
-
Filesize
1.2MB
MD59ab955eba43db4128875a11f05e33323
SHA1bdb1945161239cd522d0c0eaebf10f880fcafed3
SHA2563df1bfdfdc1d46190a94b751ad0a9e6d2e4b0c8084df827fd9e3df9c01c117af
SHA5122f95ca77979d3483c107d22e0ef9049528edf56a24e6454897ee4fa6b22432c578b6baa67dc771b9f06d6b7c51b745e34ad4ce6454f400ffeb077a15612b992b
-
Filesize
1.2MB
MD5b0cdb87751c9b7ba1899c9682ec31af1
SHA15db4a0d313ee35d678fa5bcec03b761989b22ee0
SHA2568cb1321c5116c3dc5f817b522596c5ec41c8edd71a52e619e26d2f38640d4d91
SHA512b8dbeee1855bdbc10a039c1fd27c9e2aa598765a05e909b4d8f1f9acebeacf6daa2c7c7de08bb4d2098a6a5fd6c668d4c18deb6d19bc14717f25e56b4c3de5ec
-
Filesize
1.2MB
MD503ac59a24ab1910cf85adc804f0ffb2a
SHA113961d3a10ec39a51b524306e8a405dc04343f41
SHA256cfc9f4f01189b9a1c45459091b8927e3790ac735a8152e23a643699c44b5044d
SHA5125cce1335302c4d0062fd48a831e76104f72ef0cc4ecb8db914ac5fa1334cb580eea29c6b882c6ed75f3c348724e1d7ccd15c9d782acf8408bcdbe04adeb6af62
-
Filesize
1.4MB
MD5200ed7533c382eacbf50e8326a76602b
SHA1a3b5c8db62b1baa0b0711884ca1a7a11f5a2ab87
SHA2567ad5493d8ae34c31ad5555409ab9e39a1657ab1d95083400177d312548c7be11
SHA512392e3888ac2d3966f20f8dc11d0f62674419440b2a25cde0ee0deb15fb1ca998d4790e80e9c8638d4ecc627b1bd86f2ec1799c712b5d94387612a437fda78487
-
Filesize
1.2MB
MD52510ce948b0ffbe710cc63cedc5710d4
SHA150259d282e48092d4788178be68d756945b33f10
SHA256971e8e9e23ffe5a5b397dad6b49a64afc4241f044dad3af207c135ab57db92b8
SHA512700af5f1dd0815485219f0a9f62386b945828eda9b68a4866cdf888eb7e6b9f37013128371ad0c6956062b43f51bc667e1c1cbbda23f564ec9e48dd506dd7507
-
Filesize
1.2MB
MD5cfbe854626578a155df45e55c2c5f93d
SHA167a527ec5ff24d33dd2368b574773c0c093f7e00
SHA256316ccde69e7adde9c417f08b8236664b94464b6ece8811ffa20e09dc35e911cc
SHA5128bff8ae9bf9bfc9925d58d7c8d446e40729cce084822647a6f67b66f1a047eac0f503e70a6491ab2e6f9e7d9156b22619e5dec4aadb31ed7197f4d4c78973a3b
-
Filesize
1.3MB
MD506fa288c33de47e617b0f8e8632bf2d3
SHA135f22f613198781568a4262042fb2257d82e7d47
SHA256c469032bfecb95d7f033ca01c93b38574d0d5a896a812f7d171a3557a81261d1
SHA512e92c70600d6384d8243ce40cc84a1859b8194cac72a34c6c487ee04dad4f1ec6b91afaf94cc179779b644bbe660c8d7660d9f9705b98181946ba6718bc597c77
-
Filesize
1.2MB
MD5811f2eeb54946397773890895d65eccd
SHA12646d744199f89e6a9ccbd2cd2ec23e6c6066ded
SHA256a068008d8cba2148577616e03b3ce3ffe505809f3e1fe313fcdae2a982c69f4b
SHA512c736995f380cdb6141a57a1a1b29411b3ea6d1e00742637c94bac885fbfc31124afd91fe4df9949b4445de3353391c2f4750c3944a1bd31775a3aaddb9c54215
-
Filesize
1.2MB
MD55a2fb70bfa94829d95569aa68762f1dd
SHA166a8511868be52276c9caf3523d4ffcc486f647f
SHA2569219437e92c69dc95a19d159a78127c46fb701b55a0f109b0a53e5f0655ad41c
SHA5124fdad8f09c2af2cc339d0de686717c019239678120b2930b90e6ccbc1756bc5dbdad15aed829217a490079ab3f26411ed4a51c0cbfa6581fc8af4f6b0df8ed8b
-
Filesize
1.3MB
MD5aa83df0c5c7c4bcb8838133cd8ecae43
SHA13fe0520c0e6190030df14f3767e1420e4b21de18
SHA256bd083b061065a407d25afd5d7c1f8bfdd764e041ebb556266f7d8d533f31b345
SHA51265cdc2693cc990856a7f907ef17defb84a6c1c86e6b8c72b7da58bc35747eb1dce0ae81a84c4b232ab24d3a65325edb92d543c2a77c37964b195d07b8b70ad7a
-
Filesize
1.4MB
MD544beaacf6abe0d651179cf435bfe083a
SHA1552639fc5858cad1fb3c53ae29acb87796ca5422
SHA2569f25a7afae3d85d88cb5e44b5410b0e70ff8723b409db5765d0163535706e44d
SHA51227477b0d0ff5576d9fc84933a17a0faff1dfeac9a655719dd776a544b49c0bf0d5096dfd3758634ffe83b0d87e5cc38ddb87b141906809226c3c892cd7aeb469
-
Filesize
1.6MB
MD5e2213aea6aa206d6e4d17446dcb6ff2d
SHA14ed84dd32033ceb022318b6ad84a92ab3a1ca564
SHA2564c299eb689d76400cbbf8879ce62feb2cd63c4416ed01b65815ec4c562d2e3cc
SHA51244c8ae1e8ce887c98695fbea4df04e782b75d5e74c6fdea10cfd674cd95be199e440d8401e4e16337b44aa1ca6e2f67e6f87fb738ee7ca92be4663a18ebc014f
-
Filesize
1.2MB
MD55427078522b8db0141b54bd2c34bff8b
SHA12dd74893e21c063f1c7cabe2ebbe4b69fbab1359
SHA256ba66fa0aa811cd86568e7eb7a7e366172e78a682148e316b94386e75880db719
SHA512fe82dc482ab80977be2728e3c9b7d1e06aa4c425adc572e3566ad71ea903f8a27781d591d57875c80e4791219937dc12517cb1eb96a698bf24276100325d3e88
-
Filesize
1.2MB
MD55c0b450cf04d151081915cb12ce80eaf
SHA1ee41c77b9262af931b1355c0140ebcf81ab4f617
SHA2566604ec441733df2a2caf7e52dfd321d0c53eea49ee0731d5d7209fbdd719d83e
SHA5124920f757f6fe5bfa51cf67a6a28a9b5abccea20c073ed7defdcca00a208c94aa046aa9fc3f9c386b1fe51cdc20f254ffe1ba3e90b0bbd752d2a73edeca84673b
-
Filesize
1.2MB
MD50450ec9006e570881b0af5ed2ed708fc
SHA1f90431dfd3696e6160725a7ef7ae9aedd2343519
SHA25608c15ad42e6596e7c5ad6435be0b7d15dc4f7c629d2157136a27aa9f6476c75d
SHA512e0c3d1532ecc8221fdd3e44f6cd30453a87537e88a499063481334078ee5e5cea4affbf4e3465b798fb7a70f625df748291e0490209e885566c9d9fee3821fc1
-
Filesize
1.2MB
MD518cfb3e4a82144c3c6d5bcd4d31f557a
SHA17b4ef7be49712b767c218d32c4dd5f44694ae618
SHA256f2787a35bef9512cc2e0e313ec908ff5f166c2acc0dc047d26c7a5c2abb6f98b
SHA5128c88d4bb61267f762438ac6b3a1e398adba320a37a2650e29b1b4e38bcc182246fe5e73252989b4290f81bcdf92e00c64305f98d5d86f408c053887e29532e9a
-
Filesize
1.2MB
MD5b31b0e94e19b37b313de4ac8c0e58ba0
SHA1100bd0a865a1319e1f64397532cb9d3a052b7ba5
SHA25635d5f86b1928d97df588eda86b36129253cfdea06bb45d14988075d539d935da
SHA51217e151ca6b3deef30b620d8023f2787aedf84fc2fabf54ea8578ae2d018ddf55b7e61eec3cbd1a13eec76cf9e8d71074c328ae3147e83c61a7ee4bc8f28ca05e
-
Filesize
1.2MB
MD5bce4aef19a0ac87bf992cc4002b32566
SHA19b8588a3c5b90f0ecb7c92bf0b77f63d3e9a7fb2
SHA2567b32c9cb22d657122b4d3b64fcf21117bfb8ef8780e16c6e70f8e7e054d2aff5
SHA5128132e531f18dbc26254d7ff9c3a65d7975d827fd127790ea1154490317ba3047b8ebc5091406faf1512cd33bdca632ab6601f51f51cfb3fb2cbdc7dcc4ef729c
-
Filesize
1.2MB
MD5e1b9231c123f656f2132d9869f9ba4c6
SHA16ace1160e37cb83fbb3bb50ccb2ea4d2edc22356
SHA2566231a4ee9b772874ccc6cdbc880d35fba232d62d0df12cc88f37c6deebd8e946
SHA5120ef7bf4ffaffb1ae4447864ace9bdd7d06a3176402df105a042febfb128ec1caee9649b5301cf33cb32a104c95b33e5d92da0fbefc6428f41a6aff958e2dc9f8
-
Filesize
1.3MB
MD5b9f4b6c38fe856c1761ab7c64adf50dc
SHA138def28e3664938c5b40fc862cd30c22bf19797f
SHA256acb9da39414c00e312308449bf66e5fc24af867bd24fa255fff8604adc2451b4
SHA512667d13aad13d27b5e4670decf129b00d90e72a3e0df3147c1a51fc65f8712faf09c253566e3790dc7d227e8bb46eb08abb1a330d51fd74d4017b12331f32cfc4
-
Filesize
1.2MB
MD5899beb1ab7a5e6b80e6c9e069efd5565
SHA1e3543e340758e06947b2e6d03cf174c8dec9677c
SHA256e37616e54e3c3d158d232d731686ce5d6f7dd7140330992fb8a940251c44ec35
SHA512f29d1b6ed524766a15e26589ad17e69758d1b1c1dff974858ee4c9c658deb54855d80a318a770e9149ca0060972dec53ee69b2dceb901247256f5bd40c1ce777
-
Filesize
1.7MB
MD5487817a2e6a8845e7b36aeef73b1ab66
SHA1ef62c0b85465fd29271612005b550c3a4c1b363a
SHA2567cbe6c064320782ec21df708923959ef9bc973d8f2fa831e188eef99580f757a
SHA512318b8f1968dee8b361ea1176e7f8a7e35a023d4461b46c61dbecc69f6f2007fbf07ade7461478c6f8faa7b2fc4a1a35365676ce57ff3531d35c069bbaba734fa
-
Filesize
1.3MB
MD5cdd45369fc2e84ed138bfdb685ba9ec3
SHA1386220ce63c8df21723764bca4c2d2409c4b056f
SHA2561ce32c59666eba3e759795217af37e73bda4a37fd12d76362c1c48132308b00e
SHA51251265059866529112358efade26331725eb749192e16249eb1fd6964d965fa949ea9e850b9d5fcd22bd2540f83c3859239efd641ff7aaa7bf75e51decfc09b26
-
Filesize
1.2MB
MD5a6a4fce3b04576bebc74a180821bd603
SHA1c7ce92842990dd7a351c12864fe456e24844d62f
SHA2563dce4b7c79b8621e3b6e27c17059b29afe68ade1444450a06121c6442e7bcaa2
SHA512c68663965525fd737a6b44779c97b6774ca26c4a235ddb73785fafddc63842b1bba45799ef9850c728286110aca2427e62e6e588a011f07f1b874c639c7e4f23
-
Filesize
1.2MB
MD595ff205b614404f3c6477c74366be918
SHA1cf00283fcae0f6a284731358ac239e365f0d3eb0
SHA256338843907f86abda3c9cb0e8eda8028d96dcac13d6d794f16ee428ff6861f054
SHA51298f46d0b43760870c57d83557036413bb0b7a423d5a4b66ad268bc74653143e0404e5045bc80a9a1f2a480c8079e2114c56aced804cc44cae30d89baecc6f72f
-
Filesize
1.5MB
MD554b21ef968f33a9ae22ed06a66af69ea
SHA146f43e9e86961e5a36a99820e7685040798644ee
SHA256453ab470dfc87a2b9fa1aa1e8c74923c1e6878a0d58f9fb2644aa3224ece2db1
SHA5127bc4c59740d16659cb005e3da1aa0c35091224ac9cdf517301aeb50bb22c870052990badb66476ccf42c05dfd86a73cf9d9fcf353926e61bc339f08740f8af70
-
Filesize
1.3MB
MD5f91ef9ee9d65ca08ab55f5194656fa8a
SHA188930f646ae41394f6c3128ec7607f69a6966917
SHA25606d1454e1cff18dc77083b6f8a94fff50b75903cdb552e732178287ebaf11fb9
SHA512e95810478349334ca8170369f4daf2c8c3a21134f815671fe5478deb28bb7717ce57231c4117948e2755522071093335d1705ce8f649521e087f3de069937905
-
Filesize
1.4MB
MD5e3b0dbf8913465a3c8d81abbc256d104
SHA123d1ba9ede3cd4089a439b7676375d261e635f53
SHA256439b2c98e5b025cab791dca08e34765307c6220a6684af6e6819f32d6fd112dd
SHA512cb3e79b14fb78189be23393d3ef694e85341e6d7b208289f2628618aeaf10d0d304955ab9bd959fa6c7da3d95d0f379b1ad89122c29496271278e63221772823
-
Filesize
1.8MB
MD574b32453a1692918a700fe46f3fbbb36
SHA1084c3d545d790e558a2b77b97bb4dd22b0089183
SHA256f86dcc9ff23e027fdffbe639db0020afd49d86b7ee01702caa14bb7df3e93481
SHA512acd8db45bd433633c3dd13ff0c2ea349f7bf0c63f90eacf184ef6a43687d23f96929365a98edad75ae724e912a6c39761ee9729924ed497e19fe8f07fe5be68c
-
Filesize
1.4MB
MD5f5be4908fa4b0f8f7ce04910e2e5fb14
SHA1497b904e96714f1735dbc22f1cf764ca65533bc5
SHA256a09378c17036b9eb9c1c904d8cebcb90427129dc9fc53d71489178fc5a5f7e11
SHA512266c3b6f115e07c1a61f04a227b61cc034e82654d34c193fe04a26606127b1a726e515a8e9ff158b868a8632b545549d4659751b14888c06656a5ecef26b6eff
-
Filesize
1.5MB
MD582fdd5aadbb05ef72817090116ad3834
SHA10d9b133eb83230b1d277cbea52198b672dd37ca5
SHA2560ec58a02cede8c0f4cecde1737c2e35bbf3639b7e55938b6db4c9c927a18f48c
SHA51295eb636f547bfa9af7071d69e42fd6f0dc520aad64a4c996c6d8dccf9cead6cbe8fc42a2a10d84336e1ae2b5f72fd0fea2ff8b825010f4834eeaafe1260e7bda
-
Filesize
2.0MB
MD543b2a8536e912865330d85449af3a8a2
SHA1563d73aff095e199a8fc43eb63384de68cd9b70d
SHA256f725c9dffb533c183a3dfb47144b81cc47f481e8ff1c566189d705d11e61bb07
SHA512bc229e06aac86a45b3fced4bff090126ea4d76af97a779d9c28ab5227e91d96962beebef18c8b65619db6cb5f4a38ffefda89ac3f4c826f9e1abb622626528cb
-
Filesize
1.3MB
MD515b7eed57f52ff63e34db0ee21458c2e
SHA12319297fa075a57816364f4338af28f9f022096e
SHA256542c817e45bb4280e6f10e2ce77d681359ccb26a9eb75a9bce44146bd354cc16
SHA5121a46f3b50d685dcc7de6a3ac740cd0952a5ff5f827b2854e53a0a03c0f0104a2784584e6eb71d6d8805d3a3eb4e1ad23e3107afb88cf9aed89764df10a4eeff7
-
Filesize
1.3MB
MD5ecc35f9abcbd876e343373c17576249f
SHA19b188bc5d0ebf01a4ceaf48d4e70d732cdd660e1
SHA2560fd06dc7d882df57cb8a8b33adf90c8472718f7aa944209236b1fb8aa142f30e
SHA5129c5325f86c8816ace8335107f70fa438c8e195250762a904f1ed34573e1f99af9e7686e6c0ce9655a035ac2a32495d948d5d7b409585f572fcff702d72ff3a66
-
Filesize
1.2MB
MD512ade6a6c0e3aeb00445919e89a4bb04
SHA18361604e94f46afe10a5d2a6134acc5539f9e404
SHA256a40c01889e82e74858b5a80f31b23e99818d5c41bb6098452b5c4707a03b2fb7
SHA512aa9ebe0020930823d2b2218843acdee20a54740c2b6d025f7610fc562263172fa4fb492499fd30489327ab2056205c553cad6bbdaa8d0a53a1fad2d369c12728
-
Filesize
1.3MB
MD5444d0c4f6c77fd6b1c6010990d2abf8d
SHA1379e845f93c1fac1fc731b9423f4cdd2603d9e9b
SHA25615b754b5a098fb7dcb4079e223984576542e831a5ec1dea4b47da16f3652853c
SHA512f6de440518086952c63032119ad51a869163582f35db5dfa96ba18636f522e215daff3dd09d607c8dc11f86b25e6896f2e61da684dfa22baeafeb38ba1ac23c0
-
Filesize
1.4MB
MD5622fb8a3edf8126afa2b1522c4aa3342
SHA142c25e8c2536c92545cc24c36c61683dbec10123
SHA25608e59cd637e0fa1a3ee1b354032ba5cd2360115101c03847cee4957d0993bc55
SHA512dd74a804fb64e5382931dd89dc452ccbbddbf239576ffc47847b762e26cf00b229ea69abe1c2708150f52a002d55d1823c088557c124382cf7bcd3bceeab2716
-
Filesize
2.1MB
MD5142f904c1f852a18f1a855b429b0d576
SHA17372fc70d72bb5537809c644cf949043e3df5aba
SHA256ebfdf37972eb671a97937bc5c53e6935388163173bafb17c1be8f9d8c75b251f
SHA5121db545e2e549e953fe4ffc19615191c8558b02f4f512a9d610c6cbf9f33a32526bad7761a4c270c14f0a0d575f76a5a007a14fd0bd34bcf271707c0c3bcd76df