Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 23:02
Static task
static1
Behavioral task
behavioral1
Sample
58f05a6737521572818cd1f75e222c3a2e2074804015cfd20478ce172f7430b5.exe
Resource
win7-20240903-en
General
-
Target
58f05a6737521572818cd1f75e222c3a2e2074804015cfd20478ce172f7430b5.exe
-
Size
1.5MB
-
MD5
fc79808a43907451d0691d1b7b8fef4d
-
SHA1
27fbe3ae11151c696e977f6bc1a48e96b2c27638
-
SHA256
58f05a6737521572818cd1f75e222c3a2e2074804015cfd20478ce172f7430b5
-
SHA512
f6920e1ed68d235d6b6995eb68876be3b0df6a0a4b04d4491c9aab36996097612dd525ffd8d59603ebc06728fa211b6e43483caa580d2f323fd266010214480f
-
SSDEEP
12288:LwnXp/66ux+ivhEFQt3n5jiB3x4WslePAp9teeTKpU8/xX+T+p61:LcZ/TuYivOa5jA2nl+AbTKpdN+Wi
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4744 alg.exe 3220 elevation_service.exe 1008 elevation_service.exe 5036 maintenanceservice.exe 2772 OSE.EXE 3696 DiagnosticsHub.StandardCollector.Service.exe 948 fxssvc.exe 1544 msdtc.exe 3872 PerceptionSimulationService.exe 4460 perfhost.exe 4980 locator.exe 1560 SensorDataService.exe 676 snmptrap.exe 4324 spectrum.exe 3984 ssh-agent.exe 2112 TieringEngineService.exe 2284 AgentService.exe 4884 vds.exe 3900 vssvc.exe 1480 wbengine.exe 3884 WmiApSrv.exe 2288 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 58f05a6737521572818cd1f75e222c3a2e2074804015cfd20478ce172f7430b5.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\dc71c9a538f5360d.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{CA9E0780-5A2C-43F8-9E63-52BCB11A02D4}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe elevation_service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 58f05a6737521572818cd1f75e222c3a2e2074804015cfd20478ce172f7430b5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000715f33893232db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1ab41893232db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c58d80883232db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f3cb0883232db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003939ee883232db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c30639883232db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1a574883232db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd683b883232db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3220 elevation_service.exe 3220 elevation_service.exe 3220 elevation_service.exe 3220 elevation_service.exe 3220 elevation_service.exe 3220 elevation_service.exe 3220 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3468 58f05a6737521572818cd1f75e222c3a2e2074804015cfd20478ce172f7430b5.exe Token: SeDebugPrivilege 4744 alg.exe Token: SeDebugPrivilege 4744 alg.exe Token: SeDebugPrivilege 4744 alg.exe Token: SeTakeOwnershipPrivilege 3220 elevation_service.exe Token: SeAuditPrivilege 948 fxssvc.exe Token: SeRestorePrivilege 2112 TieringEngineService.exe Token: SeManageVolumePrivilege 2112 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2284 AgentService.exe Token: SeBackupPrivilege 3900 vssvc.exe Token: SeRestorePrivilege 3900 vssvc.exe Token: SeAuditPrivilege 3900 vssvc.exe Token: SeBackupPrivilege 1480 wbengine.exe Token: SeRestorePrivilege 1480 wbengine.exe Token: SeSecurityPrivilege 1480 wbengine.exe Token: 33 2288 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2288 SearchIndexer.exe Token: SeDebugPrivilege 3220 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2132 2288 SearchIndexer.exe 121 PID 2288 wrote to memory of 2132 2288 SearchIndexer.exe 121 PID 2288 wrote to memory of 3056 2288 SearchIndexer.exe 122 PID 2288 wrote to memory of 3056 2288 SearchIndexer.exe 122 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\58f05a6737521572818cd1f75e222c3a2e2074804015cfd20478ce172f7430b5.exe"C:\Users\Admin\AppData\Local\Temp\58f05a6737521572818cd1f75e222c3a2e2074804015cfd20478ce172f7430b5.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3468
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4744
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1008
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5036
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2772
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3696
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2264
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:948
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1544
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3872
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4460
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4980
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1560
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:676
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4324
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3984
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2768
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4884
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3900
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3884
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2132
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3056
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5d1668178147e6f6323bfe078ea1ee7d2
SHA1487ceae30c303234f9e6b978caa99e2973b24a79
SHA256e1da1dd18f06c16e612fc5270fa585fc3ee8684ad8cc99d464f5bdf5d6494598
SHA512415b4eb94423109b2bdb53deab2bc2b65bc121be94425d3e1e300469d223e4d4c8d27ff1160e2413ab8512f3f6e2ffd84285a68dda9bb50f7819e5fbbffd94f6
-
Filesize
1.7MB
MD5a2c05bbaa5175a6f2537c4af02f7dfac
SHA109f1e951ddb2c6f89f0a84081876e1fd26a13831
SHA25626d83d9c82ee263a8bde94b648a1210e803bb012f240aa7c31b7eed7f19c81f3
SHA512392cb68860b84157a9771779b2846d56d1ebba7bc371114d147bf607f1eaba011be95bde08a4b94b6c23a23c45bc704d45d8aa75367b376dafdaa3b5c6c02c9b
-
Filesize
2.0MB
MD5a0ac1d4eb0923cd7863c1104d39bfd0e
SHA11af039dd2b3f82dfe97a790038b397bb674f37c2
SHA2566615ec9b40e2408245616848cf3ab53f54fca725236adfae6b0c34378e0cda34
SHA51234b5c7777e6065f2928e8d6b2fa7a3f7c4674e41e8e350bbdbaeaefdeb06d15599288ae79240beead6f4c728e1cc988682c4d48be3dbc80ef8e0a243e234e441
-
Filesize
1.5MB
MD5710c609c799c7ec96c16a3647c173787
SHA1932b0165103d9a3b81b06d4c97b45010491dbed8
SHA25638e65ffc8c07bc98e0028558b9eb094ac01b745304a4a9aa619235d294e93c8d
SHA512e5a2c31a690cde730ca11bd6acd34e8352c3b4fb16bf5972f83644b2b92095d9aba63a2eb8b4718188ea35f849ce278c93ae63fa02bd7b592046a26bb6eba6b4
-
Filesize
1.2MB
MD5c74c81adc3a8f0fb8e02aa981be663b4
SHA1c569516654c8f6fa71817d1f6b844b5a86aac57f
SHA2566ffef07886593f67616e981ef89ef58e0856823e4f50277a346cf598609e4a7e
SHA51228da6921380950d00dcf8cf95a634a73e4e057f7f725786305e3e8bc161ef9b6dbdfc3e7d1c157a2215f88ae2c7c554256cef2fdda661c8996a8895230774484
-
Filesize
1.5MB
MD56813dbaa5a9a68928ad63aaebf7060f7
SHA1423e1f37f31dbebc552223e27e6a986211ef1e5b
SHA256cb42a7d97b31141a41230272177731d99b8c5f28c7509fc7112bf94e61c67eba
SHA512d8edf5c25b8d29d8562170ec99d5669c5937453aa2c9177fa331dd1f9283ca8435bb3f419f5226add8e430d74d6e2107f81070546ecfd60d63caa6b8e91eb8c6
-
Filesize
1.7MB
MD52dd49d91579b951768e7b481c52f2d6b
SHA15daaa340a80ce31b333722f67cc845efc04fad37
SHA256e31c087a6f6d04317a4d6d6606ea3856f1d320d62821ac2d92d068c8976b12be
SHA512b4e306733e032bfa800fb6aab04e5ae9982e9386a960bb66d6d63eea78c273ebe577ae54aad5bedef7c35130c7c83a8b116a86e649cc73e311bdbadbf3adbbc0
-
Filesize
4.6MB
MD500534697516f38a483439e3572194cf8
SHA178062543ef516724ee29dd5970182a3b1d2a7e58
SHA2560b38d6b2b85c890272b85313a89818ae4b897cb12b7100f361a50663507f79d8
SHA512aa35ae625abc83d440c0cc1292507608b33d913df75859a2df2d7923a0cd6f55bfd76882bd9ea0564157d3ae96dbfd676b223e4eb75961c7c73f616eed141516
-
Filesize
1.8MB
MD5bde2f48dbb14b4cb5d014d1926bffdb4
SHA1c2bb6b6a94b5bf28318c0258e5aeb44019a47ad2
SHA2561c05b04ae6f4b44e2dc4be51743e3e88007c8d2738e4887daccf55be9c41198d
SHA51217f2519a46ffc9860dd0d7e4b357217a315d6ab00939df907d2256541fdb72dbf6f079be6578edcdfb63c83c63bca0dd4abeae44cd9f27acd73f86b9c9cb1c2d
-
Filesize
24.0MB
MD56f1ebbbc7760fd2c6d3becb970164455
SHA141a1c226d2a06a891309a5c63d80c520fd156abe
SHA256ebd8b3e96dc1f471c306303bb4e6de854eb7aeb44694fa9a2b7fa143839181bb
SHA51296e248cc47745a4d931f7617ad80bc90fccd6548fe1fb998dad3f7b8ccf81925ebd8101e7021bc420c5c60c382aa8100ac3658be28b319e589dfd3131a43d2bf
-
Filesize
2.7MB
MD576389488c152c72a932786a3655d0d48
SHA199eb30286de2f6cc6f2c5039c9d40c544e74b22b
SHA256f9ff883b79ae7ace0d17174b1f18f1cc60cd8b448c583067b0f63618198a9280
SHA5128e05b49602a52253080e7f15a70dd308b42412cb54b2a2690f4f9c2485655bf3253f198bc909754732ef577579832a9cad84a87ac9cf269ac91bf8ddcc280251
-
Filesize
1.1MB
MD5ff94ac050b57bb95752b67b6b896789c
SHA12c124a065657dc70aca33f2bea710c0bb5dd4522
SHA256cdf6219a3cfde9c2c615f0b48beaa9638a96f12e8f6d30086fbc1f963ebcbe53
SHA51210d6b8c44f3da061c9beaaa9bdd962c901a204dc603a716fc8c1d758ca39591c91459c44da966a0e4dc194d2865a2f60838a4d2979694443a6ea6e6fb62588de
-
Filesize
1.7MB
MD589dcde5558e69ece3077c955cf66458a
SHA1a1069e168c6af40b2171c1900b1e6938eeddf318
SHA256499508b55407bd1e2b2f7f62b83a16491ba841cf153f1cef898c78b6333d31bc
SHA51231f8e13ffddab686566d0e00fde76845e75cf10bcbf63a9a73c1f79be38567b9df67bbc1898c5f9f127ace6fb940e3d6b8b10995c4d819001051f4217f1aa67b
-
Filesize
1.6MB
MD5ef9f9ad909c290e86488542c8a9d610b
SHA194aca32ffd0f363cf7aa4847ffd3789a8c50ce70
SHA256c543eefd7b15eff3fca99e38146ec7f90b26a6443606dba5c118aedb7b6eeb85
SHA512a068af07f6a440df5c417682ec938572a4886d5c54a58b6271e97071a89f705614d8b5f65d9eb0ef3f1e9b6fcfcaa49d777e5c84b074b5540fb6a08721d31609
-
Filesize
4.6MB
MD5d403b0c9df08bbc0621eebb6ddad96c3
SHA10b6e03cdec585a0e5b56c2ebeb0515b340a2ffab
SHA256107b223201196ab308e93ffb253e3b0136a2928261f9afdff221ccdd4d221c83
SHA512322421e9733917eaa742fa16d467ada1efeedfbb06b115eb698298bf56b1f648db00303b833aab97d2085c8a42eece2ae5c9fb4b5ff610d52a01683f019feebc
-
Filesize
4.6MB
MD562641dba56445661d560957fd75d43c9
SHA1457a344beb759dd93aac225ba7fbf887536c620a
SHA256e8b3ca30b33496a77ddae6c095cb265b8f5c1d2829e3de580cedac1c64d7409b
SHA512eb96dccdac81c5a694ffb48c145fb3758afc07251ef5958b845f5fa5c030476865af762b6eda2dec0ed027f82ec91b1737c40e2595b4695e71a1fd4b0433961e
-
Filesize
1.9MB
MD57a9ffe5e13510a5fb735d6ed864231d9
SHA10c19215b1313415f8470e9739c5cdad7deb06fc7
SHA256612b140dc9e0bb9be3b33942d79c61c9c3f8de21fe1afdc63d800051b096dada
SHA5129232e5699b9b9daba10376a3fe89f82606d67a2d9680e76fea86d9367a5a9a4988d168c433f0e41cb98f3be1f725951cd5c706bd3f8644a877d08fa95a36ed91
-
Filesize
2.1MB
MD59c0af8864c21d06844e47335661998b2
SHA15e87f96147051764fae401e0f0b1d29577cfe069
SHA2564d59b656d2eea21527ab3ba06d5acb07e4605158f5f5b74e6e60f3d5eaf6277f
SHA51242480d20fa3183b6e0b05043b1aa91f8f6133f8d17a49be5fb28872ac88706056adc2db1167b89aea1f4b082bfd839f30f0507e8e2ffed8e3d021fd6463c1b2d
-
Filesize
1.8MB
MD52e0e7f566102cb6cfc3ab059c0cbcdef
SHA1bebe90640b460607434be04d54430393b1049ff4
SHA25625e6a121b1916aec404503396a3d2f3f5baa88106a024ccbc449fcf02938431d
SHA5125f3c1f47f538cd4dd69bdbd9bdd7edc8a2d145a5859850f988544dd10ae24b205e7a4797b8d3f1b7fb2b81988bac5dfc3bcd706092e77006de06a350356a88af
-
Filesize
1.6MB
MD56387b89ec9f7f91c046d69a51f03a065
SHA1502ede3cd9608018f4fb368fe51209397aca8ea4
SHA256f33558eb231bdaf7698908c9b30a7df335eb920c34eeabe07a60c17e1e42b303
SHA51283b627b204646c7c4f60aee47f65d3eae175fdcbe06cc3c3d4444945923e57836cbcb73dbeca041cc0f123f27b2ede1618ad8f2c8ecff107c0d8bcd9ab724bcc
-
Filesize
1.5MB
MD577300fabf3b4daa811f43dde2e66b960
SHA1f9ef4a96510d045cf9390c40b364b77c94ef8810
SHA256f2e8860005ea5d35d306717274d8fc2f433dd3cf755d2354c61b653414be237b
SHA512eed983526d78913419b393d6ce23dbd9157b40e4e270266b935b28e3afab8f9db88e1d5ccafffddbfc1ce002f0adf68a89d04602136f18cb429cd146b07b644a
-
Filesize
1.5MB
MD51613da2b883c6e76014231c6a626d1ad
SHA13b6853c52a3283ea08942ef977ebb8f43293d015
SHA2568d1cfa4f6b84cb9cbefdc10c9027a2928a549b65e32de5f85fbf79d4e0e1bcfb
SHA5126f51cfaefce7136d0ba5a83b014396ebf7fe45d18a9085626a2ee53cb385d591791887ec7cf646c18cc60726e38316d0d8429e3464e1fa14f194e9f4eabf0b8f
-
Filesize
1.5MB
MD51656cea55d2dc86e3e6cac7502ac3f80
SHA11f32edaa52df23e390f198bab88cf7e43013c595
SHA2569b7aa3f0c7a9f4839cea52dfed8ecd79412418f2af0595c4269e9df14082d37f
SHA5121559cf437f2d971fcc0c46a96ee48c472dc7a9e175d2c42ac7ed95014497de29bcfdd3f3de37cf5dce15597f12daa617b26f07d55c32a1d23e1974f31b62eecd
-
Filesize
1.5MB
MD5c4b54db849dd0322d7af18a0434a73bc
SHA1fb8fd46e91b9f7c1a6ce73112bd929fa449514fe
SHA2562efd06162888a443203a0ff78105b86c38415dcacd1f19fd7ec3f9d8fa30e6e6
SHA5127f88e241f4c2206826c1793380de3ad38a56fb5ce6ac3a75ce36774e7e6f807b82a90c654cf40bb2d3e17cd56d9072f78431e18d71fbfed741e7019561441253
-
Filesize
1.5MB
MD5014829afac5991005d9799b0c5370f3b
SHA1eed713a3a51b5c4a993f1b5ea723db4908db528c
SHA25662bad4bde57574757d5fb3a4a1ee510783b2dce20bd5356a6e0b9f88c760eece
SHA5125c62430f81d2641106968990fb42c1209be1098e687f0415aec9489776cae0c9146f328bef4d649bc3a5dbc861fd816f6e542a037d00562c17700244bb750b2e
-
Filesize
1.5MB
MD5faa2219f11ffc2cbf67cacfe4fb68d93
SHA14487ec8f120f387a2b9682a3e10215692ef8436e
SHA256fc7cf656accabf146f15943355fcf9d1f935fd13bfb6eb7700de4e030156fe9b
SHA5127d6923a951ce08e0ea07fa83dd84589fb33e968a989addac01e6bc133f8df772f872a51eeff3b9d432b09f7fb989fa662d0bc7e70099c6321ee4f60aa5f2c199
-
Filesize
1.5MB
MD5a3fda418d221ddfa16a30c42ac48fbaf
SHA1a9933108f090a00e681930bc6c28f660f0f7cd1a
SHA25658440e4416117d06f866dfd70c1ee54973ce3eb693dc7fea6554c9af79cc322b
SHA5129d3b5f6412a43e2fd833d26272e9c4ab4a2ac39e6adfef1c000d762b7bd86a80ebedb0270066a4a4b9a70b1a3fc6f5130d9198a5c12570a2f903b39afbb8de2e
-
Filesize
1.7MB
MD5506c8d925d27b26f344f9366830ac9dd
SHA134c97a0cde6b8a658c29d5dbc409d1f237d14cfa
SHA25695ce5aaef99563da583792b324f890ef1aa932b696aeb6cb240d0968a0eaa860
SHA51287dac553443b88599fe260062bd54382030721e67757cab8d69025e66a8f76e0b7678370cbc11b8c39e52cea60102793abba87fe3f62845a642851754d61be7a
-
Filesize
1.5MB
MD561d8593d664dd64cf839ad81a3a66718
SHA12c25dec811bead1804dec1f9da867d0db46d61c5
SHA256fa9687f350f10194544c167fbfeac6da4bfc9ed2f647578da63ace473662fe55
SHA51293aa9943bb481c0c0d4e307a01013f47ef1bfcecb9f98809711a4dec78a20bcb0550850d14792640cc78c307ea0f7672375cc8dc5df4a969a131bca0014f3903
-
Filesize
1.5MB
MD5fcf5fb890888d84d1e19a401e55360e2
SHA1f8ef04d18b00cc2c954fde6e112563b2c318a389
SHA256fe7498db89acf07437abc3c26c931b4a2bd699b2515e1dcd0453a0f30dbfc572
SHA5122b3f5c2ecf0620e71d803bfb7b4749cc690f8f40662ab7a28c55f2ba823fbaea81c6f0e2b972ad74285be5d0c7c180006705701bad9a4da7aa60ee83ded111ea
-
Filesize
1.6MB
MD59071b80cb31f72730c1203bb9f0a5ab7
SHA1c4c4cec54290e98d13bb12aa30004ef4f60bdef6
SHA25669a8e22a52e1a719c7227fc43a18368e67cf5f5cce388180a8ee5f6b9f74efaa
SHA5125894a3ea37de9c7c4929fcd2ce2da5fcb1690776cec4e635e1d5470c5d40083671646ac3d06ab7677f762f346293841693b55d295ea50cd154bf7351ead6e80a
-
Filesize
1.5MB
MD5eaa3f5123d6f141fbf9bc5e02e29aae8
SHA1dc18a2fd2bd6a56dd47d8d1ee36bd97f0adfe2de
SHA256730188f4426e856cf954d23b337354b72240899f7be5955aecacf9b211157a4b
SHA5127b0c927d71568d94cf5ddf9b7d6defecfe82b4a00d9de3be72227f64ded872250be877500cb3f5f13561e4da1c1ffdbdb7f754d465db64f37b3f594191fed9ec
-
Filesize
1.5MB
MD5cd70765215654f7d78601299b203e09a
SHA1b4c71aa1928256a1e72ee50d5e9adb3cf084fbf3
SHA25619bf090a0b3732fef23ef8a4bd664666e4c43e248800b79558a01dc6dfc3756b
SHA512056fd0be1f636e7ecc22462fb71f007d747b52390b02066928a84a69a4275f06f3c899d4d0a5a1665abb237f845d7d2a7cd9e029415f40ac3d8503f44ab30bda
-
Filesize
1.6MB
MD5b0388e71d78bdf44cf0a68261041c63b
SHA1b67ebce6b8c94a3c256c0186160a8c9fb99ddeeb
SHA256a1addcafed659b0e8762197739c5d882757d3c738bda1b232fc367c5c48c53a2
SHA512e0da8c457f803400b6468a61af6a9c6625ae4f9ac5c43a841f9d162b8bc7c77c0427122ab8e157d3cdd81092b69bff3665caa4cc5f99a9e2675883829d41a778
-
Filesize
1.7MB
MD5bd42705121660706273b68afef1c2519
SHA101af966dcfb493bb191b7bfec52f7a1815e6a80f
SHA256e92e308bc36d8278eed47ed31226c3a1b90bce50db9d473c29f373dceb2d3dc2
SHA512be0b89a6a94ee210d5e99c082d8468a83c6dccde6f7ae9e127a125b99d2fadf447e2941f58e85915c3063d20518874167749903f1f9cf08e06ef06ab064209d2
-
Filesize
1.9MB
MD50ab279370911bc658279d265a2ae39f7
SHA1d2b9a855ce27a26ca843e4ba43964d42d3c6c801
SHA256c77cb1ff8b79515ec3ca304bc79041f61caecdb1a73e07dcd79a5dfe7c201a9a
SHA512507382074ab60cebffb552f674d382fe20fa2fb0e281567b20539dc3bb7ffc47721f312c86e5fed6bb26a6b7f56a4166f88060268866aa234f7f0daf5b5c82ac
-
Filesize
1.5MB
MD5e5f5b1d199f21cc3056f33066482ec1a
SHA1329e29d633cf6074892af103630302a22106e6bd
SHA2562c2f3bc68c895212f64ee8ef1f0168f4ba772d013c0a2d500a4b1d41bc4301b0
SHA512c36275c30d41db5bf0b543c664e9d1790ff6f37cd2ffaa1089bca3c09e0fc6211092d3cbaa29ce7927b614b86ae8d8713abf185e571395c1e56cf72420d1bdfb
-
Filesize
1.5MB
MD5a77814a4dc848c8e29c6da1134b9a1e4
SHA19a218ad06554760a390a610c39896b8b42b5473a
SHA2561763f963ffea1e7d77aa4b3a384e8fa57f49fa0af0e386c4f291a6a3fa29e1ea
SHA512fa62ed3c3b7479cc8c4479c292548bfb86fdb60d3b4fde0ab0cb48d3ac32d7f6bd4b5599b24ccc09a5715d55099163b76aee84e2dcc800b179831c98970fab8c
-
Filesize
1.5MB
MD5af0fc12eb62fe258e6d5c46e52a339ca
SHA1dcd9a91fc4c48fa7712e0b61ac32f9d856061652
SHA2566056d6730baa8236fdc3ee1a6228054ce45a283a555c4dfa295b338edc719c1e
SHA5120e390cd625aaadb20f684523d645312d9f9863b02ec5f185df95c15827fa74819c2e7a243d8e396d4ec3aacd5e776a84d20f88fde7c1acaaec0da19c143bdba9
-
Filesize
1.5MB
MD5fcbb157fd9926ad30755c659d0188445
SHA1720b9380e3f2626cc75823c557441a8276ae9c95
SHA256d091327a6ae455adb48cb47fc92eb970685c0864f740c2dc3cc78b37a6a97ca1
SHA51203766a4f95295f2918f55c24998c8bb478be9adda0ec5bc1677e8b24ba7d0d870d1c2b481c684f51e8784d64ac44a5926ff0cf1ec4dde399de277fc380e2773d
-
Filesize
1.5MB
MD5abeffe923f3b5025b7bc6a3f6329a4ba
SHA11834056c2ad55cd375580dcdecb7dc8f9a0ae977
SHA2565960c3a8218a0e93c88240d2e2a9b55947e222257ccfce59da22765338306ea8
SHA5125dd2fe950c2fd554367c4c74a0650bab2714ec4b59ca74a4680d298be3af345203845095719a9214e0d6f73b13d9d1a5720b9ccb2b773c1395aa1184c4902164
-
Filesize
1.5MB
MD510ddac35f4ef187c72482ce201fb1a4d
SHA125fbf09e65410ea21ad05985f332e9615cb3168b
SHA25625f2086367f138100b4c0fb102614d51501346fa7363147996bf852b791a84b5
SHA512118cc9eb414a979dabddbc068a7619918cd18b55571dab5bba0e3579299f71f9963e6218321e36a4fcd2f38f68b0085b945439fb0b107e94d334517e35f4eb8b
-
Filesize
1.5MB
MD5e453f42d9168404c796ad013f5aabae2
SHA128f911e435558c7db66d095b7ebd5dc14bc3fcbc
SHA2568de8bf5e2a650a3118402e54c8b128f248509abfd759cee9f83107c3ad28b754
SHA512cc340d07bf780a976ca29e1fc94781dba4d493a73c8b6d4cbf7fc0ed144ac6f90bb2d5647e10ac289da01ee03293a8b3be10a9957eec8112cdcb35aa91aab4dc
-
Filesize
1.6MB
MD5cb872abf7d04331aa5f4031175b7fbaa
SHA17053f6f3a2828542fd6dfae013e5c5c527d4d255
SHA256d704cbc42f69dd11bd55b380740c0a869a52981190df886060a4dbdc7d151f1f
SHA512cd2dcd7abfd25e10e36ec93faa5a10804b58537ec2a4eccb5afdaac125fe656ab33699513d9f7c2583b8623b3fcbe0102d1ed40021065cf7a2a91a57aa52a05f
-
Filesize
1.5MB
MD53304c9c1b50e702d7d83c2f26a9f4b49
SHA1d2745e148bec4ae2e5c155846c46b74175815b40
SHA2565ff26f754e6f6ae2835408f159d5f1fbd179160e2b9a2e094e2a01396c253b9e
SHA5121469d444db174625e3be3c8ec8c778abe5e38168296141eb1764a56f088e204cda332a0d38efa07c90bee3ec6c2123c1a8553593b0e3646544abf13d06243ce0
-
Filesize
1.7MB
MD5fb16e829412a5dc7183c5f31862b1575
SHA14628f7847307c1fc2766136712040b5d445a9eeb
SHA2562089d6f51e4fb8e8d339fb4a136621219204bec07a35d2215b0e2f2f98fe8de3
SHA512817e0335df94d01b339b6b18cc1d8a59f566c59478978e0ff5924e7b9845b4ccdc13c3d06c98b8a96621cf309c43747f18c66b27825445a60c57f7aad87d0eeb
-
Filesize
1.6MB
MD5f43fca1eca39701a0206590b62f8cce2
SHA1c445a2d68772563e898778b2134aafdf17498083
SHA256936533bb201d462f4f1df5f64ac11b42e1ae4f9c207287f6feb0d4b685ed8f47
SHA512f7dd0ba056ae156e3ff7f021fde6e2a8a6de0e45c422811eea7b2b12e8f248880e2f6f013cdabd1b440664cc77c379ac7a799e8806e003eec63e33bd0019e7fc
-
Filesize
1.2MB
MD5587b38cde161574eeae821e0f7ae4ab1
SHA10ff82e59489f18622ced7247615e5b296bf32e5e
SHA25647d472569aba3248a9ce8da99c2afb58a4d060b1738a94e5f933de72860a792a
SHA51229d15e472f9dd4f584126d7210bd354c750c2a75521b39259fcfda566f6232a3456bb3fab92e93cbd24f09dc195afadefb412480911e5d19844ed96d67ba6caa
-
Filesize
1.5MB
MD561ddf629e1cdd852584d0d404459c636
SHA1e5508146546c60ec84ec907f5ec0bc4fd709531b
SHA256fa1cc65448c08ea07ba0e72d43b83bee49f0c2f40c25104c9fa48ac13761ed10
SHA51251f6802673045abc788cfabfa4b186adb34a887ca9d185304744131e5ff4f5c978496cf6e0217e173d11d2f2695e84a012493e4ab832dc07ec2f69287e92edb9
-
Filesize
1.8MB
MD53379e24b141d08f782dee925c5903a06
SHA1a289d3536ae843692b0314b5888d440d1bacd3b0
SHA25690c9a702ba481beea6c145c74411fe8fd779b7240e6c348cdf2cfb799c953439
SHA5120eb56b64af7512cc9f82ad5d6ae6d85e8383718de38930cbfc85277530673619c9527429f49035ec6844243da7550f36395d5d83ca93e6ab33a7887ed74dba16
-
Filesize
1.6MB
MD5e5265fb4c0cb95df0253345fd06f4121
SHA11dbcb349d9906eede71a6e1102cbc9c47172f6c4
SHA25652b0c715cbb33819bc4106af3554029cd6a689ae68b96b4da377438a4d427949
SHA512b0d0b9c3e88880c20f20b60c26dc215c94000a7725d98c262239637f17f3fe643da8ac340d83bb21c4f354290c1ac5aa611ecb44d85b3b8c612a759c4952df8c
-
Filesize
1.4MB
MD57a8ad1642c2a660bc784d0672a979254
SHA1d922c9f17073e9123f24524c909137a9e0284403
SHA25698b11666d1582510f215c39f104f0891bb43981094f5bb62e31e6fd54271615e
SHA512ae78f2b2d748e19a1f6d4a82e437277cbc65d65b98203888b79049850edaefa8eed0feda62c9b631e28745134f2a5cbee76bc1b0f9f7039b23e2d3c5bb35f090
-
Filesize
1.8MB
MD5d823007b9baee908f3a8bd49f737ad1a
SHA10c76816cae6df960a0b0152df119accc310aa357
SHA25686055a9289973d9a658826fcb604c6c33bcdb5ef43ebdf037bf7bed9544306d7
SHA512aa166dc93db159efc68698bcdce92334e9a95224dd34be3889a0930da2a753dab721cd4833f515393889b45ee057763cbb70a426816099631c2e6b5191614c85
-
Filesize
1.4MB
MD5042a0d4f2a8aaad06d8cb60aa593fa53
SHA111a0b8c645a0c8a1a3b0c6aeffae9be24b8007e4
SHA256fb084e2f17bb5278b9c479084c60573ff2a9d1f080d0562e2173ee8bc7fc3e7a
SHA51288d6302d13a605b9c5a4c40fd44f7a8de150acf806e62b722e2adcab5e6afa5dda51fd70ad88cac7397a0c2c9ae662759208a2ea4d881405b3b7e157ae18641f
-
Filesize
1.8MB
MD5aa00a354835f04545b94405d4823866a
SHA1817218ae756d69a9b8dc0cac2b1aafbfbb46a48c
SHA25681deed5078deb4a01dcea5a3d8c0dda27a5133f3138bd56caad8d3c99e9114ea
SHA512dd185a36e1f095e5735a1afbf7d2a7b7ed5f60acbd2e29f09de066765ceaf110dfdc5419cd4d0be5e84ee51a9bdf7db86cc4932d124af8d7eece3320b428bbdc
-
Filesize
2.0MB
MD56bc1f68a6792fd125f26fb897825f736
SHA130eeeb29568143fa984322a045b1d0b4bdc64dab
SHA256272d2187aee9bd659533b47ce0634195a86725b482127854b0b6b0ac6100c949
SHA5129418a1e4f812cbc4ce6ee78814c97f2fd0e8eb3d798b26600654988d4bbe40ed7dac0f874dca3bc982e4778c3e2d3d2d01436d746e5aa806299925752d169d87
-
Filesize
1.6MB
MD5c4189259b76861f00b2dd59edb67b73f
SHA111dee49456391cbaf06f517c82640c008b0187a3
SHA256a73dda04477facd2e478877c2f159128531764c2ffaf9c1531da39979b684bae
SHA512d615b1ebd0cf447d2cbc4ca11b6e9510cb7110008326310e627d630254c31e56187809ca8cc22be2f1318e006a20a5cede4244dd4eef557233d452dbda4d3f22
-
Filesize
1.6MB
MD5d0aa89b19e613710d0cdbe45ae45841b
SHA1f2fb63bfb81ee4515e8eb2958ba67fb0805ac0c1
SHA256b6bdaaa752300905450e9a772b5f31258a64562bed5240d2c53f3a4c3af8784f
SHA512ffaccda821cb7625c7c2d58da9641aefc82778e5682147ed9f648d5eb45991cb271066cdf67ef3d40e75a7dcb9738a6a8cce48e36caaa8dfa46b6e754eaa2f68
-
Filesize
1.5MB
MD506fc7dcb5a1948974961a92357087ebb
SHA1ba1e7f54a78383d01734666bb0fd6235f2c34885
SHA2564e0244cab61af8ac6e290b4cf39430c57bfbcedc744163b221e48229e6b7de08
SHA51263ac8c724c81caa3d152e1a9ec466b9bd35bec6082cb5be1b7562d2279720c35b5be24165986c1895a3c8aed26573e806d61147082814d206c94cace4a9d74ce
-
Filesize
1.3MB
MD516870a6401718b8f79b992b031cc9cb2
SHA1ed00b1ac77b996b4a6145431a4eb06b9201b3680
SHA256ecd63bc343a25d84375337d17715158d29bc57cca07dbf63bf8762d9bcb2f0be
SHA512f923d718c3c8c543cc4e1bb21ac00fff686edf055ed59a15e2f9a0445cf2b7282d198d94481103ce3ce1e52a5e3b5fe3718e6b30d2a9f2eafb7618231f883249
-
Filesize
1.7MB
MD5fc952961f499a37b34c198c0f38c3883
SHA141c15ec9bae8bb1d0de4bb841ca9a916c68d4b91
SHA256dfa2a20c5f14ea5c8760a4b9c77270c4bb302d7bf1133ccb139dc034998935d5
SHA51251dff9689143e99ecb9af43538768a8b7120fa8580184f58d3d021e9831345725de7b71fa734502418b750c782afb2f314b2f29fe422220e39918666ebdf3216
-
Filesize
2.1MB
MD522491e8b4b1bce3cd8c8ac9ee5bf7f5b
SHA1690107fd10bd803edddea3ac758babd9777e1af8
SHA2568be71cafa33162bfdf948d2e174d49a22bf164c03d0b7e7f1b24c8d83993a97b
SHA512a3610dac5a20b77802582bdf22869df00b8a595b5f702ac1586838201081e83e58b228fc16f8d8c8b382b36cb1705652da789d8b8640f02eda5b3ac2576cf93e