Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 23:04
Static task
static1
Behavioral task
behavioral1
Sample
8f5a3774c6bc83952ef19083557a12d9fadc818d14a821217301d08ee367c794N.exe
Resource
win7-20240903-en
General
-
Target
8f5a3774c6bc83952ef19083557a12d9fadc818d14a821217301d08ee367c794N.exe
-
Size
1.5MB
-
MD5
11ae5c21748a38670adc526522f14d50
-
SHA1
de6aa955a00af8eb1666d92d3f8919a90ad70726
-
SHA256
8f5a3774c6bc83952ef19083557a12d9fadc818d14a821217301d08ee367c794
-
SHA512
d817414e3bbd8062a64359e57561fe500d4b6e57ef3cfb509ba80693adf0412350e88a5ab9b27901e83118ee362a1bc29147ff013feb77351c7e74945d453b94
-
SSDEEP
24576:WZMYzFVSO9t/sBlDqgZQd6XKtiMJYiPU:WZMYzfT/snji6attJM
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4476 alg.exe 740 DiagnosticsHub.StandardCollector.Service.exe 4436 fxssvc.exe 1124 elevation_service.exe 4296 elevation_service.exe 4972 maintenanceservice.exe 3476 OSE.EXE 1020 msdtc.exe 2456 PerceptionSimulationService.exe 1800 perfhost.exe 1820 locator.exe 2944 SensorDataService.exe 2360 snmptrap.exe 2136 spectrum.exe 3596 ssh-agent.exe 2700 TieringEngineService.exe 3064 AgentService.exe 4592 vds.exe 3452 vssvc.exe 4728 wbengine.exe 3196 WmiApSrv.exe 4340 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 29 IoCs
description ioc Process File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 8f5a3774c6bc83952ef19083557a12d9fadc818d14a821217301d08ee367c794N.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 8f5a3774c6bc83952ef19083557a12d9fadc818d14a821217301d08ee367c794N.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 8f5a3774c6bc83952ef19083557a12d9fadc818d14a821217301d08ee367c794N.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\e6cc078a94857919.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 8f5a3774c6bc83952ef19083557a12d9fadc818d14a821217301d08ee367c794N.exe File opened for modification C:\Windows\system32\fxssvc.exe 8f5a3774c6bc83952ef19083557a12d9fadc818d14a821217301d08ee367c794N.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{86586A1C-7EEC-4BB2-AD86-7C1FB3D0D811}\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 8f5a3774c6bc83952ef19083557a12d9fadc818d14a821217301d08ee367c794N.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ac379bf3232db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ef2e5be3232db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee312ac03232db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022764cbf3232db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a6339bf3232db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a98ee3be3232db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 740 DiagnosticsHub.StandardCollector.Service.exe 740 DiagnosticsHub.StandardCollector.Service.exe 740 DiagnosticsHub.StandardCollector.Service.exe 740 DiagnosticsHub.StandardCollector.Service.exe 740 DiagnosticsHub.StandardCollector.Service.exe 740 DiagnosticsHub.StandardCollector.Service.exe 1124 elevation_service.exe 1124 elevation_service.exe 1124 elevation_service.exe 1124 elevation_service.exe 1124 elevation_service.exe 1124 elevation_service.exe 1124 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1116 8f5a3774c6bc83952ef19083557a12d9fadc818d14a821217301d08ee367c794N.exe Token: SeAuditPrivilege 4436 fxssvc.exe Token: SeDebugPrivilege 740 DiagnosticsHub.StandardCollector.Service.exe Token: SeTakeOwnershipPrivilege 1124 elevation_service.exe Token: SeRestorePrivilege 2700 TieringEngineService.exe Token: SeManageVolumePrivilege 2700 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3064 AgentService.exe Token: SeBackupPrivilege 3452 vssvc.exe Token: SeRestorePrivilege 3452 vssvc.exe Token: SeAuditPrivilege 3452 vssvc.exe Token: SeBackupPrivilege 4728 wbengine.exe Token: SeRestorePrivilege 4728 wbengine.exe Token: SeSecurityPrivilege 4728 wbengine.exe Token: 33 4340 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4340 SearchIndexer.exe Token: SeDebugPrivilege 1124 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4340 wrote to memory of 4380 4340 SearchIndexer.exe 123 PID 4340 wrote to memory of 4380 4340 SearchIndexer.exe 123 PID 4340 wrote to memory of 1208 4340 SearchIndexer.exe 124 PID 4340 wrote to memory of 1208 4340 SearchIndexer.exe 124 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f5a3774c6bc83952ef19083557a12d9fadc818d14a821217301d08ee367c794N.exe"C:\Users\Admin\AppData\Local\Temp\8f5a3774c6bc83952ef19083557a12d9fadc818d14a821217301d08ee367c794N.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:4476
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4868
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4436
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4296
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4972
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3476
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1020
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2456
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1800
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1820
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2944
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2360
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2136
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3276
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4592
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3452
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3196
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4380
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:1208
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5bc33978ce773ac27dcad4562f979819e
SHA1b0f2492a6196b7aa1d3ab03b4e24567157bf573e
SHA256dfb53609e8bca5ce794ca88223df36671ab51f29e41fcc33697b0f6ad59b79b9
SHA5123bc00220ad832eb0a1d7a691841399793c2b6c271d621adb291d7ea24c6d1fef72f77298080341be6c81b5fc76251f159187402e57a681f7bc9d308e715e8950
-
Filesize
1.4MB
MD5a45009f9bfae9f9d0676d4f779488067
SHA162ed0f318435bb8c3dc6dda798b58dd0f10fc690
SHA256daf41e35dc080a8abeaf50232e2984c9d55e8adfe532aa0058a252e0d0b5755d
SHA51244a0cafe7dcc4394224b0bd890e41762e402af7ba0bf3815939abacfbd3b0227ccdf65942d186a1417a3178577360d4234d09de3b96e4f8c604ef8d7bfb2990f
-
Filesize
1.7MB
MD50a8af5366eba1fc1f941977949bc187f
SHA1bc028924d60041a012869dbb7d05acc5c6e022cc
SHA256152286303116d68597a3ab907b84b8464f2e515f1cde38856df63a5cfaf5ff01
SHA5120e99add4e245167928da7f7e4e834aa0f8e6df52025b2cbfc95c90719af093514004fc828b34f0e6bbf20a1d50e51687f5d2a8d1b88e7acd69ced022c7276b38
-
Filesize
1.5MB
MD5206c020e154aebe5775a483cae93e291
SHA1922ff7f32940aee8cc115691d1e0309a20c364da
SHA2567e5a4a3339f9b7054a6163744ddb005c38ca10c2c9726a62ff03af8b6d4065ca
SHA51260818bf752e99149b18f6398710d25056d833151601ab3ed312c517eec43c2d64a909cc960ddc4526a1bc85df1a1f21eed5c137576a3f7ff52a3e6a3512f72f1
-
Filesize
1.2MB
MD54bc61e5f7069b8be895eabcb6098daf2
SHA1b65b9fd4258e6fd56e176b8ad66e21cb2957c2b0
SHA256dab56b783096454112ea50c85897bafe0e804a9c984044f1bbeec361deb9abc2
SHA512040109d4ef3fb39990ddd0932f2c7eb83ddb871da1629ef30606ced6bac0e724ebfc39a77ef9ea7860fdfe38abd83e775c8e5d1a7fd8903493b8c3d940e3eaa5
-
Filesize
1.2MB
MD5be4d05b218a4b85a7dc3096dd009452c
SHA1c5adcc16986f8997e61bb2c1e6df50c3c1c199a9
SHA25620f411a8ce999dda0e559d1d9f809c84f39d2e6de5cc009e60b6976e3519ceb8
SHA512d2b2006d0f6fb29b27f658879cd572c26adc44b90d6f29aaa6261fe6be9c63ff313b3fda4b301d6531c79217a92ec856594d31cff761519d472faa8f069a8b50
-
Filesize
1.4MB
MD5ff7dcd3eb7a5db71a158f458b0440a50
SHA1cd5b4f59ed92ca40417cc94314e8cbc963f452a7
SHA25681fefceaa5ce5c832bb3885183c254db52f903825257fc1357d93109df12f9d5
SHA512403566a10879db9c545dcf06240d30b2f405e55f0ce9834ec88884f90c61bd9b7a06802008872d1e98603feb1bbf49536dd74f97a3a481d6d66ed225dbd88a31
-
Filesize
4.6MB
MD50ca2beca5b5132510c196675c9dbfcdd
SHA115589e7d792ebcb2ccb93418261ed06ee70b581e
SHA256a1c061c97b7fdc7e758514076fc3c1f087ce80ad16c9ac629e5d0c6f494d6557
SHA51201547dd9bd101e4d07caaf7164a4d755d8dfca43ceee4e5f6ecc4e9e46f056d3fe043e4b3759747f810ca14ec4bb40c90d07120d8228d6529e6e018d06515b62
-
Filesize
1.5MB
MD5c58a9513cc50cc9a375b362a7c24d2fd
SHA177b3af72033653f2cc81d44518351f3f4474c2a1
SHA2565983bf2d068d9e6c7fb24617be922f6a786443f23d6614c75429b3b65fdcd230
SHA5129c935176b4946913d79c90200e598b37a2d1a94507e59f170a2fb4df7e4c0c0478b42b85a510a72d8a01de34c586e441238d16ba93df866de16beeb99b34ef4a
-
Filesize
24.0MB
MD55ae08e2771e47e8c7884f7b18829b699
SHA1172b71717d53c055cc0015a0b08d45083f68d1ac
SHA2562f230868e4e5297541d579f795acb8f3c9a7758cbb999bb9f5ea44630eff3239
SHA512a69e18113c49fe5b92e54ad69b26941ae1fecc6ce480d99313ca6847fc518ec74730b3152006bbb88c13830ab748a3c383ad2470063c325481aaa5ff5f33f80f
-
Filesize
2.7MB
MD58d904f644b3848d402a0e369dd276729
SHA1db11015190a3faa1131811aaade0bcf4c5afc7f8
SHA256401b5c25cd52ffcb05b8025843f5c1ecd3f705a641deede826620ed151bab0d8
SHA5120070376c13ce64c4ce1b5369991027b8136a045a781faa51cfa25b2b709a2578e767c6fbc700e23b0c49c15f7875f4d2e42670406fca03d6c769d4e3861e4a77
-
Filesize
1.1MB
MD58a7fe0440643e3df8c6f20f8d7356de9
SHA1eba160d30d91045455fcb9d7f433a87ba6083e4e
SHA256d9eb53028a662d23daacf09ee5368a86296a8fef081f84ac050b4924bd2e7178
SHA5127e4d7bdd9ddf47eedfc6cc4c617248a27222b553ea5a577ac96e261e0056ee3efb16d87ad671cf5fcbf6aedbd49b66beb0c6d4acc519af5f392c269bcb6649b8
-
Filesize
1.4MB
MD59aa0eb17373d349a26d5c9a3bd9d9bed
SHA12c01835b808ee41bdb506b6de9a41dcb13e03d17
SHA2563aac8a4a4735ba910e75b5c3c5937080d5ce356a57cc539ea140230d4a3ef3b9
SHA512071635e1f9558dfaa3019cf3ecaab6a3216e45df6aa6aa63b9cf584d178a314c22ea9c63df5630a470ac725c98ff3b47b572177414c16157b2fe8fe3e9432ca2
-
Filesize
1.3MB
MD516970920bafc92448246ab64866d72a1
SHA1b71d637e48b7cddd9f8377afbc75a349a3c54579
SHA256ca09ffc93ae8124fd0d8e3b3ba56ee52ebfbea5ced62b3b16da44586129ba049
SHA512b01e2180580ccb5a37933bf6c2fca60ae07ca41c931149b9a485f4c9d96a74d75da59edf3fdf89736440faaf2d63d77c32b79d90eebb5e9122578f1cb605b832
-
Filesize
4.6MB
MD5d7f6a2939ab05a62ecba1b991af7ef34
SHA119d2fb19ccc4be0cbaf90fbb31b5a6261879600c
SHA2564cbc33ccb0b2a42f9f3d90097c95744734248e9bb8c220f68ae3ba5c6ee92749
SHA512b70ea4cfd8b6760865e432c02adfd9400c6e58dfc0306b1d4491d816cdb17380355198031e39a9ede3f5ab5e4ed650e65d73cdb5ad543e5d44cdeefde195bd67
-
Filesize
4.6MB
MD5cb7c1b8adc8742d73a1e90b59040e77b
SHA1c144a125ff98f2762e867d1d892ae54d6e06e4ed
SHA256963fb63d3111799e3ab1db9b9b9147d9a303a93bb9f05f3be6fd95e44f147b82
SHA5125f4e743e3812c9cdfe4046a4fc34d7f037df568dd1ddb56e7884bbc1c6e33b7787cdf36f96f5a797ec28ae6bacf543681e29b3c4176568487a2920716499ab7e
-
Filesize
1.9MB
MD57909d424c401252b67f3efcace07cc0c
SHA1a415325e47a9496e7cac8aa0f997800dc0c406bb
SHA256aee0242173fca553f2c05d5d90d1efe27a5f57a3d7f506c28780e578d54536ee
SHA512c5a942982a8d6e7b87adf687371a6953604ee802dfd0d5fdd80d9a350435c3fe73945cf26b3b70c14ff7a2a01ac9058bb6ce58a5a0e4c4dd7cfbe0e515004dcf
-
Filesize
2.1MB
MD53758c3d3db45de426cdbf888072f4562
SHA19f82d2d8ee54603e9ea9bbf38c3c02f09563871e
SHA2565ba75d230014fabe01170f00f139f895ed39fd27edc3babcc11d51dfb5dee9b3
SHA512108dd36331087ff090b601603c266efda4c3d837de6ac8fc40442622040dd1df35fbb7ab98df1692c653e216b5ac96f4e747499df9786bfb1740532f65cd42c2
-
Filesize
1.8MB
MD5b932757b5705405759980b96d7b5c41c
SHA196f2edae06825cb3b8a02354cec3b7c9ce224184
SHA2566a4083524db14eed9c08e19efde18fae98efea1f24bb7243740a646e782e8bc4
SHA512ea9c241e229f9f3c7374f986557c6146ecdc15cbc49938f09d81b832172840515814d8b774d85d60b93ea1c43ae7d6f9f28bd4bbfd256d6e7db6e44aa3c026ae
-
Filesize
1.6MB
MD5428354286d7e36674bbb0e47a6e43903
SHA18a7a3bc1544368dffb4d9072e82149964afc659d
SHA256a938a08957920a36b99c6ea8145fc6319e85156435b00cf57de7dba3f5544ad6
SHA512b540ca2608bbacb69fd616bde1869659c55b8eafc29ed0856b698a755a11c06773607a007d72c3738f00a85f9529fba39291f5fa67bed12337dd3d4ba9052271
-
Filesize
1.2MB
MD571eee51a4c55b18893f34a22550d6dbc
SHA19850ebdc4b8adba6103292e25e7d25ad6dca2a8f
SHA2568b998e657b76dadcbb39535b12f0441a0063f0766b37afb41b12122a09264aa0
SHA5129e91ef5378093de9ce832dd970616ea50c0c59463e0d02355faa24139588bc3713555f1d2a3d4ecea3637b565cc4d1c6c751bdca8d5bd002140e6aac2943cd15
-
Filesize
1.2MB
MD50cc8a04a481b082d9fd8e8eb3ed7e1e0
SHA1b8e43162f978aa0651da929c3f4f143eb2cf1495
SHA25631eede7660b455b73c6383cce8692c05fa7c5851c3ee20ddf4efa9642b3aa8b3
SHA5128906d6a6d9e2013fa6944c0ddbf720807c226ed95fcf6debad6e213901bc1df636adbecb7f553c0947b90096853ccbae901dc6675221278f5c90c4ccf410b2fc
-
Filesize
1.2MB
MD57beb793891d188286fee3534041d469b
SHA103257916150aae618573da7a7f611eb484a6aaec
SHA256e625992c59ed37106705763127df3eac0228220c5141ac4a1b72d16b068887d2
SHA512e70ddd94fef77b378cde6b160e9277850ef90fee97657e2cb0855ca1bad94f8e9b35180b03dcb717ccf7f3708522e2721e49d45e24c749e2799e56fc9708a74d
-
Filesize
1.2MB
MD5c55a2134bd316e57700c9dea57ac3805
SHA1a6882ac38c4d60d5c90af9ec6030fb3b3e9f85ec
SHA256efda684fc8bdeb2aa1df5685a98c08ca19feb396f4258332f4c05d87c9d4b929
SHA5129817c2abb29eb2f9dbf7f818e2af4997955e161afbd08a927ff1d1fad083c97d31a170f0b9a68eafccae5643b855299b78eb05daca474c0193bc4da974a73db5
-
Filesize
1.2MB
MD5a5cf444a09ba52e61e80b75d040933e7
SHA1d578803bac9fa7947a1e06f45e6031b6a7b3a4dd
SHA2563ff1e34777ea8383fe76256a36952a6e968e6984d484748da9967cb516ae8559
SHA5120db10fef113d24cd7b1f409e7ba422a2b3c384d6ffd5ca086038a0f34a1415ce6147f1c55bd58013ed3476549ab6524c5bd5b01fd9ae0ec3e0ec26d6ea87af12
-
Filesize
1.2MB
MD541f0ea05fd336e499d419dc3d53c8869
SHA1bed57b2c83eeb3fe8365f4a8fbbec946e155ffb1
SHA25645c2a37ecfa2dd32bc7d1691dc656a4de926897aec0684ccf80e5f294276eb6c
SHA512ea23f3107b191ce02bffc3bda9e746a2e6dbc93350670e7c66a5a3bd92366871c2008c2222c500eb61ae88f41a2ba4461b9563d32d2d624de49404642521457a
-
Filesize
1.2MB
MD5979d9bcc042656dfa59f07dba5134551
SHA1fa6e4d3b0d58f997115ce47b1b09ce49c438293a
SHA256e3289348deb4d75a4182c08254c1fe87698e719a8c2a230eeeebff80ff2eeaff
SHA512b0cacbe4d109f187635588c0db06b647b042d7d6d4db40a94ec2eeb23f6ef89c93bd1256c0235ca25c6576a86ae34f7b7e0929b041284b735916ae1f0af8f987
-
Filesize
1.5MB
MD5cfc0eda19bd17a65cec4300075114587
SHA1fba22b704c07da8e3902398e29870094f04c389c
SHA256ac8851782f6ba6a539bc45f02725216f686f63e7796ddeb7fa55794c49f270e4
SHA512de79821d5e28670bd7b996caa5d8bf14c7367d3ca1e786a5fd6d85c66d81f303e0e7a19ce0cf57d5606a5428ac58ebc3b77fdf7bf1212afa76403ce96773e0c5
-
Filesize
1.2MB
MD557eb889d2c48d95e064d93735ca0e439
SHA17c53016bf1e352b09cd641040923aef5ebf13b1b
SHA256230bb801e880c9e6d0bfe7b7f57ea90ef8b174f6e0ff46b6744a6fd03400fe0a
SHA512ffea5467728282329e243cb7565bd14ada404efa94ed5592c2bc158c5be90c0318f718de8558bf485824111db4ba2851c5c3b82f34d2424ddbcfc30b2cf2dd60
-
Filesize
1.2MB
MD5be219599fb81ef1a146a5ac18144e714
SHA1d583e8e0f461fed79bcd39279ffecc9295dbf297
SHA256403e747eef055b2e4b15bef562689540daac0a93448afd6d19c297e6d31b5759
SHA512a21739e22a7703d8b5e5e8cf0aa352c7a3250c2df861e0496199bd552e0f0483eb98e0672aca962a00edcd4e9dd148d8a29fcf1f0c5bd6451bb77a043330c202
-
Filesize
1.3MB
MD5e580a91caa589399cbb5414a9bbdb461
SHA1860e1ba04a1fc8ee8909d18bd082c1e6d497463d
SHA256107de6770cdf76cc9eed89e87f5cdf1818f109e59e3e77693962fe135fd750ef
SHA5124f552615d7c4885613e25e910e2840e628d64e5cfcfd69b742be591737bf6bd71664c7c1fe8daddf6fb9a07a222b778eedc768c2367efa73e3d0da65bb4da33f
-
Filesize
1.2MB
MD5950afb3d6911cd84d3f61e42ed27963c
SHA12b357e91cdba65d82351528c4aae42cbdb85201d
SHA2567ccbd01f3b8444c2c10db4e1d86cd3ccc39dc4a9abcbe673bffa03d306949476
SHA5123e159ac631e7b551a7a5f4d6114a529e1478d0a05551bd3dfe3cb7d0f5c3e3ec3812efb553f7ffa92863bedc537c02ed0ce3e87ee57fb9e91ac95ce2711c93fe
-
Filesize
1.2MB
MD5663a8a9709d50a7f1c492bf704a8ca47
SHA1b0ff9f12204ae379d99d586721f833e887f1460d
SHA25613090627dc7670543c80e49de184c2403e5aa00f256f03f3d5fe26b6017cd787
SHA5123c3d26da4a29826e256846c1d06fbea9df7dfb1329f68b5a7bd7bd019ec022d5c6d766e3447bd64778f31a0847b375e60dc23091ea222ae3808a48e137408c10
-
Filesize
1.3MB
MD579e6fdbfa8f09706e61f836c4e539cee
SHA1e8d8d931b035ceb847d94393f136aa00176132ad
SHA25678d061a4b4df1c67b44b867df523c82da8730a6fe5f4af41791ccba816ef282c
SHA512f0b5f8fc8d6b63030277f692443ae86f70e0956d979bc6e920464a124152e1b623a9be9c82e7350cfb2a50fff5d1012253d6d435abaa4526c16d1e7521cee013
-
Filesize
1.5MB
MD59d445756d8dd12d9417a4c9d55012861
SHA132233c121cc00dc1d77cc93cd312bdab8eace343
SHA25651acc5dab9e7a050ded070fa80d9c3a6c9209d750f661a48c4c51b41579710c8
SHA512fc31d4ececa2b78fa8cac54f0aeb41200b2a67dc8f7702787ad51ecec678e5228ff935815454de5e72e2bf6c582348b25cbd818e444534149b02ff9f8781f3bc
-
Filesize
1.6MB
MD5d264c0bcbf3f93f3147b5f5441fd796a
SHA1a6e064f3a0b062b0d9418962cd7d51b3ffb32efc
SHA25680d19735e077c3e04129043e23fb07018e0e580c29df5c12080cbf322b974cb2
SHA512a98dca43932e070f7d3a8c039f176a0f2f01f3cb2631b7dd38b39288de846e1ab9bbceee91d2bd9e519b07962f400c26daf5660ab37273add7efc31f3d024026
-
Filesize
1.2MB
MD57c5827fb1e0cf0fa6a49040635c6b0ea
SHA1f784ef720f07993ff6f947013364fd2101440d6d
SHA256f7ee8941c994416b6d48bfa52e5f23eaf140d0dccb52b1c6f6c77acb13f51bc9
SHA5125cc535fb6ad59f77a473f7a839bafe8eec3a5e5c1ce66ce42b435832521a76f0401ca6253f88b100f873aafae5933b71ea3f66fdca71aafd9baf72b8cfa49ec9
-
Filesize
1.2MB
MD5b43d0dde479ce3d84a6098d52f6c0f97
SHA1f912452d7bbf617a2a096003ec2b0aa9e10c2d8b
SHA256f27bdbcf4dffeb7f985cd0f1fb77cfb68dfe4444a4c12c9bc2a8b235816b3a0a
SHA5125a561fb0a940285300dca7e4d0043679ec2a6bfb8ae4207aeacb588267cc80809237ba88dd7b56c7457c3a9256a6805518a2fef0e914aaf7f71062caa1c55fdf
-
Filesize
1.2MB
MD5c0358cec4aa9e4ab63027d847581ff85
SHA17169223c4d1da80e67f5163aa27b5f18eaad30f5
SHA2563011118f7b48752887b03b999e7a635fb14e29d64cdd0a533987c7aa78d4563a
SHA512c925b1513d0660a287e0cc0db259e2582396ebaa4ec36a4f85441b6e02e4786b2ae00daf717f5728095fc0ad983a48bffc29eb98dba24b5dcf9fc53fcddb79fa
-
Filesize
1.2MB
MD5f02f986545a31a907ed4982416b9a8dd
SHA192fd6289aca2c9cf70be0b33379134d0d352b6e2
SHA256535529202c108d128cac41fa80aa20b8564e076bed7a36a5e0800b4acb1664bc
SHA5127b59befdde178f78c3ed6bb76652a6bdec7fd70697f0491125048f7163052d0fa5a9dac57ae55e2fc894563e39573d14b37e1c78cf1b9a86c00d7c82851b68d3
-
Filesize
1.2MB
MD53c430274688eebc4433f439b1f5ed823
SHA179e3187230c9a179430d4b40aa151d7a2582f69e
SHA2569c19353ab5437688eb6b68937a4943d0e69ae1a6f35d1c2fb2a9ff97b5642ab3
SHA51266257cb8f6647efacf3c486e14b0f150717f3b0613ac0e2283ea1607cfd7249ae687b9be584d9cec5b37b0dd19400a77b6b9df0742d3c45db30fa438dd9e2d22
-
Filesize
1.3MB
MD5d7026a01874f1d79a67a1af482522cef
SHA1d206747e8a18dc4ea5e7282250294e113c580709
SHA256189a34a0a515e2f06971e730b9362bfd4fa019b67ff4ffcaf4dc1566ea0d4533
SHA512baea64c85eaa1775aae7ba3a296014518782878df9a8f1120672fff6d8955fd99558b0120b69dabc651a5c6905afbd2a5b726ad50b993ef879ba5b075a20bbcb
-
Filesize
1.2MB
MD5d3a5ab35686d44103c1821785d6e7d0c
SHA11365ed8ef2a42e756cd8af22ed42859e890a461c
SHA2564cfc24e7fce7fc23e0508911624b4faac70b2982a6642d50cd9ba79950065d76
SHA5123a54280c96146e55324ef4ef1027e786827fa0be52658f7dff8d9ebd89f47adf5f20a4bf705ca409991280a7cc2ff710687a96d9790a9db98cd61bcde8ed89de
-
Filesize
1.7MB
MD526f1aaf0d56213c5f533f08d68bda0e9
SHA1beecd5748eb05ef9e5f2cc94bda7f720dbee86e5
SHA2565d520ce24f4728af56257bd38124c602e3950524e9b4b3f6fa300b6317e8d050
SHA5127b460a279f47dc846ab577708961b4980bac02f34f59e98c22cd5515f0517f9ace156db6da270f8417131b750d37fa04a3ece74c58d6c50db65b0dde6e714bd4
-
Filesize
1.3MB
MD5ac34b46df1e6a896621dbe0371689a04
SHA11e02639d420b6d265ae865cf6defdca5caeca0b2
SHA2560e47fb6ce52c848163d95b3e7d9a32292465e9b84b216bbcd9596be231c7a930
SHA512c93f4669c8e42728b0564c6126000627fb34e8b328e7059defb374b875ab2a49335d6004e3436e6be9ba43442a8d420e8ea2f17c6e6dab6ab943ac7cd92fe202
-
Filesize
1.2MB
MD5881680c0d1bf028da873170b3c98f6a7
SHA198d326458321753d44f3b0ceb191f633f21b2faf
SHA2560006dae6a11988043d464917ddee9ab6cb0d64b1da08a9e68b5d655e53965805
SHA512f7f43953f308867be85b96df36a6b5a15f6893dae60dc9cae12cf14a951ff3bfba3aadbee1ee7708de8253cb2cf96ed8c4cc82e8cae00568359148f661bc3c7b
-
Filesize
1.2MB
MD584b712f70463ec6869ee4564572ed6e9
SHA10ef9c878e70a71213f6c78d1041bb78f574371b6
SHA256d509717800aefaaebed5c9475d6e6bc09aec988abaa7166456576906ea5c6e4d
SHA512b4aea7301577facbce4547b821a719def9c2eac8992ab5d4ad0ee654b6aa7a321a71c20fbd37aca67e29846f106b8bd398d38a9231738e97064597000a1c546a
-
Filesize
1.5MB
MD5c5093b2fd9e07db4f185d7df1c89f642
SHA1a4baed30ef2e04fc78c83251df3b043f5d5f9a2d
SHA2567d752ce4a97131523c7426e8c42b425202d1e6f2c8d4352af60af534d954c7af
SHA512b025b038efd0d0b74441fb284488f3bb0331ef59165ee6a619ba3105f105d8e770a466882148d16da48cd163f3b21e150f59a9d89e1a8d2aac27593ea8767891
-
Filesize
1.3MB
MD562020ccd762b2d5a9f5835609bf6e28f
SHA1a4b332d358058631efa1f164198cd55b47078645
SHA256c0db6d37528b3f1927b43761f7cb3329e6adbd3f23e459b9e7014617a2973cbf
SHA51234d33a56a3cfa0c1c19a225b2b8e2e4aa1176aa7b2bca72efbab526490e6d2aeb6c332c1658f31c3b371dd7e60d335a4fee4f24fd43d6db3fa9c70aad6d5fefa
-
Filesize
1.4MB
MD5db9f4bb1270226dffbdb2dcfdeaf3a29
SHA13c2c4a30a08cce8144eaa6f50f03d6b64d88e0fa
SHA25635f57d20a691b8f9d05f3e4a77c5d943a9038215962606a31e32af5f931579f0
SHA512dfc02ba07e81f59075f47d5793bb115ee829811c9d6cdd22b94e5a46e72be9c326b2d6ca29a9397886eb27585399b59489eff7e83d282dbcdeebdffdf1c7ce99
-
Filesize
1.8MB
MD52904e237bda3800f1de21cec30bd267c
SHA14964f06686c2e5ed33fc4de3836723f52aef04ac
SHA256bbb031ae640ebdef8c925889981978ec7c0c9c3768d8ab79fa604c5ddefc277a
SHA5122b6113645a8be6907a83af2b64e49018de909915507969cb73dcde8cf207d82d2c519a5d0884147416de8ca311533565cdda9ae8ae00b82f8b1ada26935defd8
-
Filesize
1.4MB
MD50227d1abfaa8364e4184973114afdf16
SHA1272ea4e73208ff2d9b4831b0c4e2d07e33061040
SHA256ff157b48370935ae29d9e467ecc29a0da9e4b3b1ceb92710ebaa0903a055af4b
SHA5129c1eeb99f2b3ff83d553ebf1dacf3cf4142b05396cc46822418205a551eb4d50dcd49b97135531c857d724fb66dc842c123fb51bc5b4f850e6894927823200c0
-
Filesize
1.5MB
MD5fc2f020b5e6bcf15f8dd4802648c05af
SHA18ece8bcd7a630cf84c4ea537150d82b34cc5da9c
SHA25650f132d161b82e7d5fff69244020a1722d39fdced3ecf89b4cacd8174b0c6309
SHA512d017712130d3ae1225de71d1f6b3a6f112a10c268efbf0a2503f2ae7ca743873f9233dbd61930d8f19b8160baf3c3a29682d7cda4e3ef9f93a8424560c2b8550
-
Filesize
2.0MB
MD573d69e8d68103a32a3d8022a8c8a9b5a
SHA12f781d754f8f0da1e3ad052b870c3f51846fd6c4
SHA256dba37ff2a3c4e8972a3adb8285a0a364d7fc5653a46174a45d48dff7ede0468f
SHA51203a5660b042b4285e99343e6caddf96b5fa3e04de6357fe5b386df644e7a0d45f9a4b4b41f67876dc30f4b0dbd9c2d9d1375cdcb1ad45b720ed473e9479b67aa
-
Filesize
1.3MB
MD57d77b071e1479fc9d02b243a72193e5d
SHA1a67fa83da2b9660673df737e226cce52065475fe
SHA256c1f67cfe95f73ad152f5778b588912f7d8bf0ab2be5e1d5af99de330f079e455
SHA512fccb35f2618773816861bfd2b610f7f19daa589fabe5cd2d6d91793c4f4208a24674eb9292ae10ebbad8f3c818fa496fe122f331b78acb728d93181cd4eb0a8e
-
Filesize
1.3MB
MD5a5b7fdfc7d8470282d79dae2a455ab5f
SHA1a72189a91775ed6187ce5ab1cdf5023d71b5d7f4
SHA256df92d00ab4672520000280b97d11f962bf97582ab9411e01c17c2102a868839c
SHA5126a19c56fdfb12ac8692316c0bd4f84c47eeb7a08f346fd207167ad5aa99a56bc81f516108c3204893e8081f1e964199e863e8dc03a35a8111c81c151bd4afd99
-
Filesize
1.2MB
MD5d26375e6ae1c1f2fcb845979ccb0b4a1
SHA1ae5e9961ad5b3d64367f803cfdbeb8322bc08ee5
SHA25622e89a0e1fb930535d2cfc9e40ca6dd19f3644a3b04d266aa9289634def7b114
SHA51292ee776eb602783e4cadc3fc13e17dbbe56940618e40a556416bcef505e7a54ac638d429970c02ecf057d79a53ecaf439a7e7b824d1de456f11509370e95b439
-
Filesize
1.3MB
MD565aa10444286261fb53396c4d52ec4b3
SHA18f1562ed1322952aae095191658239fadf5f15f4
SHA256560712b8ba126ce35ce18f0132c12a89fd4e5b5c73e90333e92dd8450b2cd813
SHA5125461f7521bcb8c12dd3351c7ab80d8d6220e77436c80c68c13d9b1bc80572747cb508911f3cb2f675bcafef5c4aa0f0954600842c38d6a35c7caa38e8f39c681
-
Filesize
1.4MB
MD551db8a04ea08d2d112d4e3450924179b
SHA14b3e7ba28ce17ba98fa207e4e6160d05cbd34cf5
SHA2567d29bcff7c69c24ae3c96471ae7610365b07827a8d6d22c7c7a60b1b46eb9847
SHA5122c371bc2c01d5f50d2610ddf51a392b1850e32b425478b9652191bdab028c2e59ce0a3f49fd5f1f60e0602d94314fcc80a2ee3210d7e17545407d4a0264fb047
-
Filesize
2.1MB
MD5d90eefdf9ea971bd3261dbc1a2cbe919
SHA199063c107a0f773d852e225a9c79d87a037a8c2f
SHA256809279e01e9f95145c94ae1913ed8b69b27e7cb2382ce9b1fc8b29be4a794655
SHA5126f98916327cdbaebd14b4e7ade13750c579dfddc2f68164531feb80b48a4efa731975f8528f9df0d51c60faf869727233f84c8c558fa14d7f3aa7584f999b028
-
Filesize
1.3MB
MD59dfa6781eb9df19c320c52220eb3822c
SHA18969d3c229a51bcfa724c21db6339d03cf3f297c
SHA256cdd49b8e330d029c04de721c0aaa437b222c20d048dbddfa79b92d470e1a7e68
SHA5121876a7fec9be86682e2a1dbac44b22c8e947ff458ea592becfbf6cbb17185186bc4ec667aa0606c550bd486016af9e4979b5a1967d69bb350d59bfcda2b31e2b