Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:05
Static task
static1
Behavioral task
behavioral1
Sample
4b922f181390938a9e72b5ff66699dc81d34bed1a3dea26978895e7b839f6af5.exe
Resource
win7-20240903-en
General
-
Target
4b922f181390938a9e72b5ff66699dc81d34bed1a3dea26978895e7b839f6af5.exe
-
Size
1.3MB
-
MD5
40404a0a1718c5adda55c97b7e4c0d1d
-
SHA1
86285a0e837b10c8a210d29e5b62e54d20206809
-
SHA256
4b922f181390938a9e72b5ff66699dc81d34bed1a3dea26978895e7b839f6af5
-
SHA512
799516e1d5556ae75b85ad1dc33c680588469b59d3ac3ff0c4f3b684aed7b3ba1b6fe7f5587d1853e551f942bfd15fd37ac9c69bade9d13a7d9cb6acdcd97fe9
-
SSDEEP
24576:BIXgCWSpRyndSJVDsVu5unzqWvX1JSkQ/7Gb8NLEbeZ:AWSjaSJlsQuzqW/1MkQ/qoLEw
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2352 alg.exe 3544 elevation_service.exe 2912 elevation_service.exe 2024 maintenanceservice.exe 4968 OSE.EXE 1432 DiagnosticsHub.StandardCollector.Service.exe 1996 fxssvc.exe 2004 msdtc.exe 4392 PerceptionSimulationService.exe 4756 perfhost.exe 804 locator.exe 808 SensorDataService.exe 1008 snmptrap.exe 4660 spectrum.exe 4364 ssh-agent.exe 1780 TieringEngineService.exe 3492 AgentService.exe 3248 vds.exe 412 vssvc.exe 1036 wbengine.exe 3000 WmiApSrv.exe 960 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\cd2fa667e5a029dd.bin alg.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 4b922f181390938a9e72b5ff66699dc81d34bed1a3dea26978895e7b839f6af5.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{87F23B05-A117-4666-BB8C-A9C77E6BFB56}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b922f181390938a9e72b5ff66699dc81d34bed1a3dea26978895e7b839f6af5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e792891da32db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b87bea90da32db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000085c0d92da32db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005073a491da32db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000266c9990da32db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027ec7b91da32db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007dc47491da32db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7500593da32db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3544 elevation_service.exe 3544 elevation_service.exe 3544 elevation_service.exe 3544 elevation_service.exe 3544 elevation_service.exe 3544 elevation_service.exe 3544 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1112 4b922f181390938a9e72b5ff66699dc81d34bed1a3dea26978895e7b839f6af5.exe Token: SeDebugPrivilege 2352 alg.exe Token: SeDebugPrivilege 2352 alg.exe Token: SeDebugPrivilege 2352 alg.exe Token: SeTakeOwnershipPrivilege 3544 elevation_service.exe Token: SeAuditPrivilege 1996 fxssvc.exe Token: SeRestorePrivilege 1780 TieringEngineService.exe Token: SeManageVolumePrivilege 1780 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3492 AgentService.exe Token: SeBackupPrivilege 412 vssvc.exe Token: SeRestorePrivilege 412 vssvc.exe Token: SeAuditPrivilege 412 vssvc.exe Token: SeBackupPrivilege 1036 wbengine.exe Token: SeRestorePrivilege 1036 wbengine.exe Token: SeSecurityPrivilege 1036 wbengine.exe Token: 33 960 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 960 SearchIndexer.exe Token: SeDebugPrivilege 3544 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 960 wrote to memory of 1004 960 SearchIndexer.exe 121 PID 960 wrote to memory of 1004 960 SearchIndexer.exe 121 PID 960 wrote to memory of 4280 960 SearchIndexer.exe 122 PID 960 wrote to memory of 4280 960 SearchIndexer.exe 122 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b922f181390938a9e72b5ff66699dc81d34bed1a3dea26978895e7b839f6af5.exe"C:\Users\Admin\AppData\Local\Temp\4b922f181390938a9e72b5ff66699dc81d34bed1a3dea26978895e7b839f6af5.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2912
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2024
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4968
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1432
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1608
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2004
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4392
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4756
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:804
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:808
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1008
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4660
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4364
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1816
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3248
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:412
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3000
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1004
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4280
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5e51cc281ca2b2337e5b9a420a19c1e09
SHA16c923781a97d0eb1eb200fe61c008c6989d3081d
SHA256852467c4c9ffed9a52a991f4649e04e9bf571f833c6d277cd488a9b74c329b62
SHA512e023c07137307b711d52a50f581951e67ff9ddad2f4f1cf71dc7588d7cbdbcb961d2feaeb2e59e4466c4855d0cfda708815f7bceb14937040064cecc35f7583f
-
Filesize
789KB
MD59bee183346d716d8f873d9a83e4e0500
SHA1e5678f919240e17537e32e9f01bb70cb717eb171
SHA2566534454dd61aeacdb927fdfdcd512ed139ea4211dc05f0a9afa561d5eb590be0
SHA5127c80c60268bf4d36d67f50396d24f0ba05db9aec56976106142aded321a4d88fca0f8cb3fe36b7613fdfc4c8935a9d5838bc34fe8d75b73fec7687cf8bd3b9a1
-
Filesize
1.1MB
MD5c699459f8186730bec63c1bd3bff863d
SHA14f53aae5a0f2bb0bba2c857168243db44179e47a
SHA2569f633017f1736ba4fd3044bccbfe4ac6a840def0a041a88ee5c6c0e35fd9372d
SHA512279f227d39fe54b1eb893382fe8470875d6f91886bee558a107c1c34e0dcf258814b78cb3bca9d35d2f26789c25e25b3b82061943e055c4b56e7f1c161ae6cdb
-
Filesize
1.5MB
MD50b8024b3f93fb6b9ffbba14c1ab17a0b
SHA160b99918d51c567683a1aa3862645572bca0e1c0
SHA256fda547e8bf51ab413b5cc4477e40beb6a9f1e5ff12f922a690f03bcae52e62e6
SHA512741f4c935e5cd91de46814f09f5d047c087d68d7c2958a97bd12c3f9f41893de73927f2e8a1711a10875d2c8b5c250dfccbbc5521f20c4f7027e6f715f3d3f68
-
Filesize
1.2MB
MD5e1f7f2f9d798a42c45ce62758d1a023a
SHA1d5c121e162b74f5e68d193ffe24f82cd032be00a
SHA2560f749c46d3eb2fc33c35bf0e399b015c0cdef5fe20d25ca6afe45d49c8728fa0
SHA5125b6ed8ac29c62771ed994bae515819222228c87db46121e2c1a82da27cbea7fc5085926ffc0d82be24b81f9c5f897a96eddc9f4c418f3edefd7598d95a60d56e
-
Filesize
582KB
MD56a57878f6a575b1d2ed8642b8a33e016
SHA1ee5a9e522828eeb3c37a126405235b751d7192c7
SHA256221ec9bf599d8f38e9c96c38039e2e8b13702323e83396033a3d1a9893fc501d
SHA512cde2ab63d03d236a523cff93ce7a431fa3250029e9afce7b5428b83d36904315c2733a6dd2c41346eb2ece75c9fcaca9df63c9d4821a7d1222091ea2442fa98a
-
Filesize
840KB
MD589f501c7c40bfed348ed6399b51fde95
SHA19c9279ed3ce6cbf89cc032372278a97ad272a9a7
SHA256759a78e372095e06f92469d9566cf49acb5aacb55c21bf8afc7b0e06ac26d669
SHA5124e183e86df7d83d009ce08b98a1e9e87adc839996ad5cc4a7380bdd98ae2728ab484ed87752f410d0a2c59f6a9e8006ce01de1e3c77f449a0adb530b5c92ecf8
-
Filesize
4.6MB
MD50f12e13d1536c08d284893186aff93b6
SHA17ec0eca6df6650a55038eb239dff3363c7465507
SHA256d6cdc25a57044eabb3bb24d5fa9d1cad4ceffa36ba76fe1cf09fd4155fe555ca
SHA512c3a48283fa0d9ed1b9ebee17c63e562c1ec4229b5d9233758b1005287f22d53e8c6922646793d51405954657e3a726459b673ec43a13bc0c18d0298f9dfdd4b1
-
Filesize
910KB
MD56afe61fece4255b81ed5ec21b9c2b880
SHA1282771a7d12899a33bc7a092ea3fdb28588bc9f5
SHA256f6a2b43f331c55156271f6ef84d5709772019f238af109378dc89cf1b9e40958
SHA5127ea500f1b8137b8a749cd94727b85c1b30c73b16e6c2dac1f3e61cca55bf51e5f79196c35a77e3b30936efeb227de053e8d532005a2d3cb56b861bdeea3423c0
-
Filesize
24.0MB
MD5de96fe147190bd92fb31c52ab151fe1f
SHA1a7942ae6f854a9721f0c0d04e460954e35b91e4f
SHA256fba18dbc913de8246dd25409e0590f70b8c2826389f6937c5c59acff01eec5bd
SHA5125316aa36e8350b169b22c906ae39b4d790ac9bce715516ff185ca5638a463dbef6d95f30ce79ed6c44ce51d4b1d75bb36f48d68ef6cf15ffaf4e6781d15fcec9
-
Filesize
2.7MB
MD5756ecff04cf30c495bcf59af1633b1e8
SHA14390b75f25e10b2ed15f4d1b7006b0cc4122e826
SHA2565384b55f3002d3f4eeeeb61cd5a142f97d4745ce280732e73002b49a2111c307
SHA512f09d1983d3d63cc11240a00ae614dc418070e5531572ae6186b4f3e8525e9038db22d6747bcc23a7d34acc2616d45c451f15b609dd77e3b7aab7b5b7cc430e4a
-
Filesize
1.1MB
MD536136ba938255dd2d32c89fe926dfcbe
SHA1136d9c9fa071c98c43ad88329b4dd4f1b8a084d6
SHA25699a7f7a9b3aadac93021db3334dc47f8ad7bd6b1ba4e4e12c17111e81fc3743a
SHA512484f39a68d1975e14b1983f88345e25000789093e8936c5ee7050dc7ed62077af5dc56797f81d2040c353109f9f8265118d06f735071415d4399ee5c0240adfb
-
Filesize
805KB
MD56c82b32a9d3cd2cc2075c7a841c0c6aa
SHA13c9c7c82e18a743991a47ed1cc579e1677012cab
SHA256822c5a3ccc1dc317a1619c617fa705153a9965cd3876c729515769c8dd2e37fc
SHA5123b00fc57be0359960eaef48cae7f66bfb91ada59c513936ab963769b9fe16416124d1db8f55469c7e47e73ece675abc72c0a4d59aa9d9b45f0e5092dbe187639
-
Filesize
656KB
MD5de1e3f3933492ce14436ab0486246bbb
SHA1773f1755a8036f6b0a93b013f2373728c92ad9e6
SHA2560a84e1d9f075736942119d0e255957808043a9b1d686df9c8fedacac96622aee
SHA512465a9e15b444bd4bd5e8676c536a88417943f651b7465b9361400c8c596effc5baf29c44765b17d3b2b8cb5ba4c9dbc049f08f6397ee344029743aa6f1f62859
-
Filesize
4.6MB
MD54c7a1f6eb0084c21284be044e735755c
SHA165cad4654e890be7cda4caf3fd660e34942cac1c
SHA2561472b966981f65b77e2c4f2d79cd1bff5e771490f4bf82e549b81562f1fee948
SHA512a74447b393aeb5008f68850eea4630b6b124c1be795a06664cd33b915e5f7faffa20206b87d588be16e475c5607007200f331d1c791b7241bd6cd41137764496
-
Filesize
4.6MB
MD5010efc20255164fe87ea364def807d67
SHA1448ba2a35a358342a0d2b672bec4567caa32ea8d
SHA256bbf36b5d0224c0377389f618cb38713e451ab6c1443651bcfa57f7a4cfa6d7d5
SHA5122bf3f1aaf596ae8f86d359af6504aa41a9e45dd16a0352c06b57c0ffc3e98658b0621255c8c368549598450c1748715b6e7b9fcefadc0e985d2ad6a02294b2e7
-
Filesize
1.9MB
MD5438cdbdeb37a637f116a4697d93dcf09
SHA14fb775887e9e5bddbfdea24285986e1eccc17910
SHA25606a5e3178efa311d11254a1f76d3e3650251620b53b2b8eaa9524eb3a3f05790
SHA51278f755e2d0fae2e1a150862d1109a4a945395c148b935b0f291bbb83ca19afeab0b68d3777809b5f9bfea31f4ed0d3d08594a847169f2f2a6c9ec78f4e536ea5
-
Filesize
2.1MB
MD551b4a5c52fa8296c1a2f0e2ec2310fdd
SHA1f4374feeafd2f6580dfeba8b82a3246a3f23e1a4
SHA2568123280ab4a7e93b003bc0186b5fdeae286264f3308b53c48b45b5900445dc78
SHA512ed96147ef4313f3c3f848f0f27fb63673ddabb7f376ad7aff5ec521a55c4d08251927c92b73caba5739b51d54e4de7250dd8a141d2ed99ea1533a2122b380d9c
-
Filesize
1.8MB
MD5730a3b9c5419f41e3ad0126f530e3cb3
SHA1ef9f8fb8d68ba02298b2003d7e1d6fffe31d4955
SHA25618b1f06d24b75622425a8969d59e2f0dca88ed036d9ef8ff3fc86931a9049a89
SHA5122606caebc3f0d11584b3700c523d101eb3870903861369d2c29475c479a5d7a7b907bce63b22fa8a0f77f80378e4efd21a5979e840443193ec4c33eae821a6d0
-
Filesize
1.6MB
MD5433a798820233cf1813e3afb3132e00d
SHA1f95fd60c79296903a68bd8d0cd1cd57e8b7c47b9
SHA25600ed088c4063351357f08f73b3df90980f8a2aaa1deb7d6a9345dc17a3ff732b
SHA51281fd4cda0129981f2c5608f2b3785eee0f932901bd3976e92b98bae8525002e02015599b67f199e628b08146a9f9d588b2c05579e681e4a63d7f4bd1669eddd8
-
Filesize
581KB
MD54787bb8fa2273558610c718369feae01
SHA188f90ecee68671256a95665e14b81bee896bd93c
SHA256e6fb9246c4426b2adb5894cfc7f0d253d77d2ea75196362e4148e555fc3fa267
SHA51200be81c6e030373ac1dac81e56d396af36733015b84ee8efea3418e1c34069bbe76a77817809556192f318e06388d78c430063fbb11e7a246667ca4f3d034314
-
Filesize
581KB
MD53f119e91658cbdd1e75dc0704241811b
SHA18a43df7055db2df4f6b016c38c7abf53cc11a32a
SHA256d0b057df111393bd1a673fc9d692b706b233fd96ee8158714fdec912dccca492
SHA512d562b24c9aad76c6841b4c212576362d809bf505e9cbbe0559f285ce769af1452ff4d8ba4d558cc722d5db5ff97abd0439595246f8f8c04d7b0f0ce577c185d3
-
Filesize
581KB
MD5364be314322a155df832009df526f830
SHA1e8992988da5855e0795f169e3b3ea9f4f704d9b9
SHA25658fefa264ffbe8d62e0ce176fbb6a41f22487aac18a68f336f486607acd17ea9
SHA512d52901eace2f6c64dbf4eaccdc65a7155d011fee1cff5be8cdea4d6869a303aeecc152a2e469ce0724fa9baf083bb998ad26d2a8f464f8bbbf31870994d98c49
-
Filesize
601KB
MD503e22f32f33162340428d6a92e88341b
SHA1faacf1e03800374e27b303ca4de88a1a8ad4e129
SHA256190e99aeb9a47e9c11e111e949fcf9a5ef583b785d6638d519d803d0393e8335
SHA51261ba8e4a7a29cdff8abedc31dd6e64fe889e00c446ab61c2620d432c6a1aa57b183ac1f13afd29d418e776e8672b87ac8fddeb3121600a78cf8cca9acaddc094
-
Filesize
581KB
MD5322cf0a431ebe6ace4863e711255e248
SHA1d62e5b46c13f4362953929d0467ac2afe2f2f0e8
SHA2564ae66f1c2803fd2c7f61c56fed5e69747a810da85f510412aad364d02456d3a4
SHA512ef1258f615f19e6f4f1741e616442f6344e6aa335f42a004525687bcf9a12b59e2077a14ea013833a28a0c37d68e3b203e183b8416796e8474270b046c42ebda
-
Filesize
581KB
MD5d616c0a9a56cbe121172da5e78044948
SHA1ab5c9741ec96c24016018b788195664666263230
SHA25611ce510c51fce6b08f06672203602f1709e4d925060ceecd1096406ffea3c16e
SHA5127a30c0987c8427762b8626d3c2ac550cac8c7f3406253ea50f4699a99019d9fa2ddf0199fc30e92ac595b8a7f28bce557237a976452119a08fc57f5a5e80e68a
-
Filesize
581KB
MD585ba937f3dd53de958780f80cf8bb321
SHA1f67770d722986b27a12fad3ec5c265560c4486a5
SHA2561e1f748710a6d28405643bae44d1190a627cbea3a5b9eee274a4a2c434b5968d
SHA512d05cebf9ab151e47e11902acecdf29addd2d010a62600d095e5a13c6a059b518d81b8871b110219a282d67ce2f3f1c50a188410ea4d5288911cc3aaf04623cb5
-
Filesize
841KB
MD540e91d23f07df8b295e4db02fd01429a
SHA1ece861446896110c6a8bcca51e56c28adfcf3082
SHA256c495e72bacfb7a917d37fdb18ded9e476ab54bb1640950e107880e8d137b7d32
SHA512fb79961669714e9a094f6bd2a4670e1d30d24f79f291eb335721409cb177b9153c00e5c3634248818df850f1ae80ca49615ad8db2f4a7a2c17136b547891a9c4
-
Filesize
581KB
MD5368204e502f06b22b2c56cb70881df69
SHA143f2630abf93989a53ef3575c0d848adab238974
SHA2563a1e0831aed597a47383eee535ada20c5a8dcc7b575a08b8b0d33d7aca734ccd
SHA51250fdfd63d69f4de8c3106c9223b587ca45a00529e410ac9968966693bfc5c6f5ccea0a18de01c1d12c8fc984844eb4da33a8a32b5144cdb7380c76911c58206e
-
Filesize
581KB
MD55b5e6d585f758f1ea9182f1296b18400
SHA150ef942c0e22e691002bbd50f7a4be98e545c252
SHA256e9a6352cb001972a0f544bfad5a85f36dc33ac33ea7346a1d7606d209d50b312
SHA512603609ad2f5ae0ae4a4602849b934603a24cfc88ef7f4994ca00aa8f774f911396f6f0253241eb38f0f0e8eed45d9aefda02a8de59350313906550d8aeba32a6
-
Filesize
717KB
MD56201366e1bd6f25d1c7e86b365859324
SHA12dd912b3cb2946ba93da385d90f6326c25e7ae8c
SHA2560189087f8e00f2069a5f3292caf4c667a37134dd1bde3d8161c7fb01f6e00626
SHA512bd373e59ad521aa71d6712bde8b2459b0976c12fa9e3a6d5104a0f894a0957a37fa1142730b881ba27d0e1e22e1643a3f65a02e9ec443285145d52b1d64e6def
-
Filesize
581KB
MD5ff0d3de65eace915f22a66f91147d745
SHA12dfe1ddd8770a63fb1c4b8b9d940775b6543e9cc
SHA25611bda10cd723d261f2dac2d2740020e228de75e38d2cf44728bcccd46b13ee5a
SHA5126416e11dcc892f50e951bb7f2506fd37c6326d2c2dd0a25826a2d97e6d634fddaea7e0adbd9441fe5b7048ae6744c358ff6a39be68359f711f39279f13d74207
-
Filesize
581KB
MD5738656cba3ac48afb8b45dcb3413de47
SHA10ac035534bd809c8f62dfabf7998715f6514cdd9
SHA256d0315a6acf1d7505b92d3f7d308058cc7275e9a63278207f8472d2db33ce7586
SHA512cb860765388901ee42231d4927df85ffaafbe68fdf83947355f6b1f744011b5aabed07434449659b40eddf545ca78c8258b220fc0d2a97dd242c502a7e20cc29
-
Filesize
717KB
MD5f8939af5fae5544e1f1c4312e47ff3e7
SHA11e13df5c159d98485ec1367b30070d5b021d69c5
SHA25635e6a8952fdc5363bba602ffdfaa40d7b02388881cb3f452b39bc7314e53864d
SHA512dd5b776e88a87d902158337d15590f1835a05a424be37df59ffef662e9f0c696169ce000c3a8909d46966326d4f1328b2d1b1d701cbc4a929d6c0094d03b2919
-
Filesize
841KB
MD507e7cc4894341905cccd27390a1d3ed5
SHA17e5004799bebe35393913bb53dc479b304417fe3
SHA256959a7742aca219079ad404ea06ffd44b219d9584f222d62549ec3166ee548aba
SHA51297cf4dd167288ec64ee4efc1a4c64d4518cff6f97f95794ea8e4d6006f3b0430e3319ffde9908fde9656bd513b39eef9c479807eaadabc1dfa248e5906d2fee3
-
Filesize
1020KB
MD58e6bdb17e5d0c57fcf871213e1fa5aa9
SHA15fc24cbeee2e6b538572711cfc722a5cec84010a
SHA256a75cbe80a3ff50955b715fe0cbaf60ab3ef13d33f318d85fb5719b8fb1eb69ed
SHA51269676876bde028617020ddd6e936caac6c92776ff26b0d780d716c855beebe7a1167865b24c3ffbf9b0f5a09d1f1e7af4dc352fb2982bd5a16bb8a1c2c91f94c
-
Filesize
581KB
MD5f2ecf851e5d3045ab5570ed37ddd594b
SHA19115fb71169c6e001d7d2eea75da0667aca70983
SHA256f26027c6b159e7bc7c091ddc948c4dc0aefbb93f6361316400c7b84766fcf05c
SHA5121c03a7954a0880609dfcc39765e87c052bf314667567a89a96e76366b39834d7540baf1753410d57af35dbef22c57001798bfda2e02ef1a3d526c8b04bfba402
-
Filesize
581KB
MD5066f3beac76a04f160cc2c1ceffe4b4d
SHA11d074359b87d29d8faa219b2fcc7746fb2c30085
SHA256e906dc5d062262926064669397f993d9abf95bf145e9124ff381a4aa09b65e09
SHA51224cbdd01eeab90b89a790fdea79e317184ec3495b9e2f1c696db4e61cd0f37968e7ea6e27abf1cc03764946026d14c72887587d3f0bd64734373a15ee1772a0b
-
Filesize
581KB
MD5cac4cfa94ffb4a9a9705f6abcd4af87f
SHA1cb471c11d73869c771fdd1572a085be0171ca5de
SHA256c35c1cbf2d7194e62c33b3a2dafb1b908790a900ab88aa4a24e5f32a754e3237
SHA512cbabe852d802b60b60e11fada63d00dc56ac3bf373a805994ba2efa61f7b81757b44924ac73ae6a591ceb92f7fde68172799685a1178d89ada1968c62de4fb86
-
Filesize
581KB
MD5dded1eb85401134c0f46b819d41d10a8
SHA1ec903f2143a852d13863171ca25d184c0a4c54d3
SHA256b7fd4f9af64fe8177d6b890344af40895879d6668ba03cf34c41385530d2b2d0
SHA512e3bd0508e639ac0f854ec2bd802cf3792c6306fb33c786ea374d02173841307f727d4f778079c66df597fbb2883ae2ccab378df679fec1515f9e872d205019da
-
Filesize
581KB
MD55850ba1449fe2c7b1416a293f8043a51
SHA14a2723945d0f86acd303efe9b365e709b469fa32
SHA25695ef6e195318e4f7a2f44596e980b12dde12a47b575fd4f327012e5344aeefcb
SHA512343e9476d8571343cdffa19bf7080be37571e97592a10c6386d78ffdd8c2bfd53b002fecdcbd13ade2b751eae80a893473c3dcbd5a216f4f8e3abcefd198e866
-
Filesize
581KB
MD5b8601649ec4e18b8f3eab91ee51f6c86
SHA1558f50d9dca062a1bbc52277926a91cf80196a9e
SHA2567092dece0bfa9208787e4876401f5e249b33b1907d1d680d731a0b4a606f9b03
SHA512d3e7f00e934ee723566cc085b9b18dad52c026fffc9dea32ad900fcc59bc55d86a1696597073c32bd4127d6ae536b93a00f0339883a190e2958b1144707f6cdf
-
Filesize
581KB
MD5da0c5bad10b5e9f2e2c0a0c328117da3
SHA1ac5ee064e1d16b4d14bd46a2b52ffcce8034dcee
SHA2564f8f80ef8fb1fd9eeda0a0dc2f7b571ff264c2b01f64ef7c716338d5599b0fce
SHA5127eaf8714a5524e1fffa8a6b451fde0e071ea681a313e55286af6980ca7c951d5965f76745d5414f6105ca625ffb8a0168368c87c2680e36c0741c5ae86719ca9
-
Filesize
701KB
MD5fb22462cdd991a2e304c3633cd51f192
SHA1090d4715e70e7eae7d5196b1e148224d3e348556
SHA256054bebffe8603e020054a8f83c1a54f4ed67e5b5e5b702e94a0095a93fc36c9d
SHA512ff038f6862ab42b60ed8b5e258d826af80bdda24961641d523c4866e354977cb354e2505bd0694cd672bed32d1f14ac3600a09fa69bb37ca327096d2ff5a61cf
-
Filesize
588KB
MD54d9445c1cf244be34bc5ce1239a59850
SHA180bfeac71cf650a72a7162f935df982a5f04be7e
SHA256775f35142c12d1a7e93143a207007bac47e2b67db119674cae5cc289ba86e435
SHA512c6df6f9afdcad02b3fa5f5171c26dbf208dde5545b4c327a8eb1bcfb5f8fa6d2d3a5c81f60c070fc68ec739ca8be8fd2cacc1649991d481e863d0567f8e054b5
-
Filesize
1.7MB
MD578378402fbd5592e706f1ac0ac329943
SHA1175f7f3d5b532ebc702f941a95cbc7640de38eb5
SHA2567f7345ec85b64a2463ad93dac92422ce53fe75d2587637463e3801e95c0520ae
SHA5125d1879ad648bd56a7fad618b95e04c86fc28b1d7a74c5f4b09426eeb1846b85dae4af75a00348ba305740e01ba2417dec9388f84a17d296519bd60c7e5a06c63
-
Filesize
659KB
MD5ca228ff396ba0f932d14ebcf130041df
SHA1b010d6bd7f3cf9f4208e8aa5156809eb75dee70e
SHA25691a45a8f00ccb77afd5c0f8aa6704a72056d900511b5d29870dceabacd13439b
SHA512be2a71d70d87daac0f84739a821173988e8dd77021f280db0a6d5d202aa248ae6f1b10e9694fe4f428bb7218847d8714ad314f0f014da32ae66c6f318f0d993d
-
Filesize
1.2MB
MD5e297fa6fb214b7d1bf8a0c73806839c2
SHA15ed2ad5d7c3b5b54b5b4eb28dc063229ea577c75
SHA2562f9e4f8baf506305b3a17841a20ae7703ed18899146a86efcfa9f5da00d6c94b
SHA5129fdf935ca834cc9df1f14a0db62ae7ab8c0ff4af01919fb0fa378c78a558527890ba243caeddcac0e9d73911a84ad759b027153211367c80ab1a62be322d898e
-
Filesize
578KB
MD59e25192031dbda2b0836ab444c14abe4
SHA1cf15148c43f3e2fda22408613aa2389bcb3016ee
SHA256f754717260da8e2b0e0c857072dc002725872f530102b2f10412f28260861049
SHA512b12f8c63252a255a0b74172e6a06ea02bf742c3392aa7a6de28b45f34b89f788f276b986e79f2ec84444103775f5833f817451bf456bcfc89ff05f87d69615cb
-
Filesize
940KB
MD5d0f0c0eceaaed44263a4f9f059796323
SHA17faef55f666acfd69e66c309210f4296e7ce01b4
SHA256f41ce9e3aa9fa74dfcfd01f0ac87c37cfdc973e16da574d9d254548daa174469
SHA5121cf82b66acc9d05e8d5a019a97801d1e133f765b760b738ae146042d7f23ca5f2d68d0da53780fe28f92fc83dbc8e5f03022679211c657e2463772d8272bf299
-
Filesize
671KB
MD5f803a3fddb61a2f3bbc3d4ee2ec67560
SHA1a1b38707644fefafd99d002eca29dcbc570c4cb6
SHA256dcb4e51b3c16b66272737a9caa78c5735d059fca84f41134547269022ffa0aed
SHA5124d055377d7d679cfb4b6335eb2da4bb611222ea2bc691836692d9a873d1023dff7205a439fa9224e4f6bc3548af68e130747bf19428e066e540076b9a4a64f85
-
Filesize
1.4MB
MD51ca8d3d715de93427056ded636806f3b
SHA1e1853e3d414e9d1090d32877807a5a35086d5ae6
SHA2566f0413873f452ea50f65cd997ef6a551c041805fa68d969e464e819f2250dfc7
SHA51215c8df4cd1f9177e98838e61fa76d914882b70a0eb3da28c9e007e5cd451124ba5cad942564788a5485bf07f30c96b1f8b7e555531aeb2ecbfcee41d30ad1c3f
-
Filesize
1.8MB
MD5b03262267cb0bc2c6b3f243764714ab3
SHA1621e9285dd5a0f51628b071047c656d240636bd1
SHA256e02a303a32fc3c1b57a7ea3a8bec943339699f1edcffbbcde4f67a5db77ab665
SHA5123ffd45ae401589c44d68302a680d88215f6e079a37767cd65ea336dd0f2f10b6a4047a40e4ac04beeec4dad22ba07cf7f042e95003f5d319a098147a3b8f5106
-
Filesize
1.4MB
MD5fc6459523528e5597c1f786439a9044e
SHA131a23ce3d19e7c16e42fe3b4ecb7ee64d47646c0
SHA25668b059976f9fff969c907fa74856aae06987eca1333b0e909d13ba34b774caf6
SHA512248f6ad116c875d98c970bd481dd397b4043e4bbea71ec81e2a92dfca5a925bb31d408dc0a65563bc8b8e27e6601e409f0bccd349a2b521c7d7ed7eaeb790f13
-
Filesize
885KB
MD5d71cb06e989a986e6101be74c8a48290
SHA117d744fb0936ed6dcf329aa236fe0d2d4eb21411
SHA2564157b96fcabb4c2eb8b7bf7b0913a89405bccb6fae17bc3015b14a0f80a67414
SHA512af8691086e544d8e52c838bfbf4f4b540788d1c33ea4d3f5ec8a1caa2f5ca0597c279162ce80193b6a850dcdf1e594d96434204ac0a679739c168d4f8bf22009
-
Filesize
2.0MB
MD52e62d657a530b2c8ae4cb9abe002eced
SHA1669a05c2ca4afef93ec6b0f4898621ca866ebcb7
SHA256687bbc0195e96e977717c97e9d4dd9265234f87d3d5ea947122303cfc4cc1fd6
SHA51239501c64c3d7d58e53766d3fa0aaee6028af69a95b3f351ea78be233c52aec8715a0d090eb21bbfc8955144c2925d2705d135d799efb98b93c8fa5bf218baf01
-
Filesize
661KB
MD519e50d98d1c5afc71cb2e3adcc33bca2
SHA1d782bc3f160912effd52a0bb73c404e9daae2c5e
SHA25626ec76bfc6597c405311737a909239b2a0b076f2eb53a28177bb3eae22411ac5
SHA5121d4970923a21d6380593481776b4863316caaad02bd7559ce0662c220fe38dbcd9d120d08fd74194130cf86717e403bfe0f62cd42be5eaecd5acbe3dd8c0bdda
-
Filesize
712KB
MD55e6c2358aed7bcfa7357c9fd1d42c0f0
SHA19d402101e5e1fa1eed815b66cda825b9291b1fbc
SHA256ea0e4ee9e7aa6260228810da4e260806564bcb6c37d432752fe5c01a964803fc
SHA5125be0b7e61ae9a346b7256c9ffd2f308beabf1cdebc8972299812a1d4fbc428eaef504eecd0f33b6479ac846a4390d3281afb90ac18022002320029ea808c8b44
-
Filesize
584KB
MD576db20b4eb1744f1d5807dfb343f818c
SHA1e4ce9b4464fbfec1e31d1a17bbd1ad577592d474
SHA256c818a11a46c565121841d4659260380877f08b9c2c26dfccaf36b601c993c84e
SHA51246b08bbdea8c220fc9d0794dee55df38ed7bbdcba8bf6da8a38526847c656a6625cf96f0fd25feeab9c018a509449133239a58a681f39681156cc2b50bffaf05
-
Filesize
1.3MB
MD59f711163c6381fece7c3fd9c7062c234
SHA1f7dd36ae201554a19c296c85b78fcfa5bf154ff7
SHA2566b6da2d59e253058021eb3f9c8095173ac507e25c11ae801de2102e4735bd941
SHA5129063252693d1e1c5a12a6f00b5641114d1065c58aaa7a628f12fd3d0aba4e08b4793d2e6741927cb0d07bbba356aebf1ae8956a3abd93a99e85701a82e2350ca
-
Filesize
772KB
MD50941e0803ef990e6b6af59f69ff55239
SHA12058f84ef950490d594c5a3ccd6be788592fa355
SHA2568e73e6e129d683160a87433b123855eaedb056f65aef60f283ad5db2b56b7af8
SHA512871a5c8ea2e91f699bcefe685fcff53f74121560c8c18e1007aa614f2346bb8ac02a5477ed508bb6f0a1d40524ce79aa34b3f4089881a08075ae45f6b46f24ed
-
Filesize
2.1MB
MD5d6ec129a63a88c22d8d5424af186bd4f
SHA108832b86fcc28f2d131f98fe8a7ccdd6e8d563b0
SHA25607d9f9f7ad4c531fba9d35b124ae48a694e5d1e86025a9c4135ae89230f9237b
SHA512ca7313cffabc83864f46ec22db7b7e8cec921717820123b3c42c5c177beb7a4855142515b99c9b0af2e9ae6ff82e98a2a48165f179f9a3eeaa0119b12b6f4702