Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:05
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_d3c2b6c998d5a8002aabf95c33fe965f_elex_rhadamanthys_stop.exe
Resource
win10v2004-20250619-en
General
-
Target
2025-07-04_d3c2b6c998d5a8002aabf95c33fe965f_elex_rhadamanthys_stop.exe
-
Size
1.9MB
-
MD5
d3c2b6c998d5a8002aabf95c33fe965f
-
SHA1
7d1c750e191c8519d875ffce7574b4ed8fd472ac
-
SHA256
064ad9605fe1a8a7f085ad3e19b68aa45c6d348632c35f38c78f20670a2b8de8
-
SHA512
35a6a4b1e17f9a7a629a959fb768db0d52d81b3541e5562533e5de9353fb944c7152adacd8020e767ef0db0fde93d8d4b790a2fa9c97c7f513d4eaa880088f0b
-
SSDEEP
49152:BOCH3PVx/8N+MiZFL6ZU6CENlc7dpJLrQWd:BOCH3Pr8N+M069CEN6rV
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1204 alg.exe 4508 elevation_service.exe 2920 elevation_service.exe 5600 maintenanceservice.exe 3900 OSE.EXE 2520 DiagnosticsHub.StandardCollector.Service.exe 4776 fxssvc.exe 3248 msdtc.exe 4940 PerceptionSimulationService.exe 4344 perfhost.exe 4920 locator.exe 5088 SensorDataService.exe 1500 snmptrap.exe 4280 spectrum.exe 3272 ssh-agent.exe 5864 TieringEngineService.exe 2172 AgentService.exe 5780 vds.exe 4320 vssvc.exe 3232 wbengine.exe 516 WmiApSrv.exe 228 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 26 IoCs
description ioc Process File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2025-07-04_d3c2b6c998d5a8002aabf95c33fe965f_elex_rhadamanthys_stop.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\af999b91a6889517.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2025-07-04_d3c2b6c998d5a8002aabf95c33fe965f_elex_rhadamanthys_stop.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89046\javaw.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89046\java.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_d3c2b6c998d5a8002aabf95c33fe965f_elex_rhadamanthys_stop.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ab1201ddcecdb01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b88381ddcecdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000389d0d1ddcecdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000709fee1cdcecdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bcd8081ddcecdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4508 elevation_service.exe 4508 elevation_service.exe 4508 elevation_service.exe 4508 elevation_service.exe 4508 elevation_service.exe 4508 elevation_service.exe 4508 elevation_service.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4296 2025-07-04_d3c2b6c998d5a8002aabf95c33fe965f_elex_rhadamanthys_stop.exe Token: SeDebugPrivilege 1204 alg.exe Token: SeDebugPrivilege 1204 alg.exe Token: SeDebugPrivilege 1204 alg.exe Token: SeTakeOwnershipPrivilege 4508 elevation_service.exe Token: SeAuditPrivilege 4776 fxssvc.exe Token: SeRestorePrivilege 5864 TieringEngineService.exe Token: SeManageVolumePrivilege 5864 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2172 AgentService.exe Token: SeBackupPrivilege 4320 vssvc.exe Token: SeRestorePrivilege 4320 vssvc.exe Token: SeAuditPrivilege 4320 vssvc.exe Token: SeBackupPrivilege 3232 wbengine.exe Token: SeRestorePrivilege 3232 wbengine.exe Token: SeSecurityPrivilege 3232 wbengine.exe Token: 33 228 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 228 SearchIndexer.exe Token: SeDebugPrivilege 4508 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 228 wrote to memory of 864 228 SearchIndexer.exe 132 PID 228 wrote to memory of 864 228 SearchIndexer.exe 132 PID 228 wrote to memory of 764 228 SearchIndexer.exe 133 PID 228 wrote to memory of 764 228 SearchIndexer.exe 133 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_d3c2b6c998d5a8002aabf95c33fe965f_elex_rhadamanthys_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_d3c2b6c998d5a8002aabf95c33fe965f_elex_rhadamanthys_stop.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4296
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2920
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:5600
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3900
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2520
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2408
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3248
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4940
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4344
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4920
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5088
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1500
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4280
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5404
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5864
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5780
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4320
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:516
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:864
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:764
-
Network
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5ed123a460dccaa4c5b02d189d00c7bdc
SHA1cd1353595b3a95d41c929ebecf8959e020550013
SHA256d2b600ad2f673937e3fe714a4ddcdc17493576c42b10d2ef27852bd68c3610fa
SHA51218c0aeebaa19fa002a05dc9a83bb002a1f72fb1c263db6cc0bd2577fa4d9fef0a23abe665e5017aba80e5a93752c2849436b0fc71f447a03e02cb7a8fa04bc60
-
Filesize
1.4MB
MD58a5f11745546d4dc85a76946a4ee5f2a
SHA186f26472b32045bbd929cdc78ece025ab5cf2dbf
SHA256f898cc1c3d01c2161e5093c41373ba2734102efdfdf9ee051e4dab2d589bb403
SHA5129b1d198e824f944b36611b277457b8a462f0fa26e24baeb7d92e2e34e424692354ebee105a8061d357ba8fefe4ad4e3af388f3cbd88fa92a3b2f6f319366373d
-
Filesize
1.7MB
MD51481caf7596ee535b1549b4422043741
SHA14677cfe364943c39ccb54e9f178238e4d4673bec
SHA256698eac8be661d807503f42dba80429934e57c25f30430c95a8bf9ff620cda734
SHA512f993a79b7b1bf211127dfc794d8e9b8047f26c5f1b7b4247789e363d7bfbf1f417ec0f25aa6b6441d556f404cb96ba546211c2aec1d1c1bf4bbea0fa01607422
-
Filesize
1.5MB
MD5636ccce173aca34008847411f4803f90
SHA15e5ec48993baf1cca03b90528582fd0b1c8d4f02
SHA256da6342a15b09675983b03276dec69f3be9705493065c6c25a79d547a75b773e9
SHA512d0995416803bd8033154764c2d96799d9ec9b4a42d4a4e299ddb95f4d851cc28f9435474f3d3a4e5ef690580d2aa097fb3a41477417d694786dcb9959985f335
-
Filesize
1.2MB
MD500b02b956062f4ef412273040b19ad61
SHA11bf23139624da0e9224f6b8fd4216c69d3268298
SHA2567a083d7254603b2e519421aa3c241553f04f8e6565795710b87f918329e43748
SHA5122dceb2205e15e2ca9e86491b96fa0fa0fd8c2833822eef6ec98cfe3a464fd29bcc9065310fb89dcece247a2f71e2fb11986b5825baf3c23d38c7e1223fb03140
-
Filesize
1.2MB
MD5dad42ab2e967fce28056a4de6737fbb1
SHA1b9bdf6d87f18d2c48a262b024df442caaceeefb7
SHA25652ada7d1e61259f8f4461d9fbdcf8f818aa69055a5220f8f624577bc1f15126f
SHA5123905ba4db7db90ac910daec07bb46d8ea9ebdb9f4090b4fa43c8c716989f2ba776906b9c55cee43108c908805c5dd5ee8af50a50916e5eaad5ccd5cb58170a72
-
Filesize
1.4MB
MD50932a83393f1d29e57db5c6a63038ce8
SHA18b5fddf21c0c843cb94ea0cd5f31997ad847d140
SHA2568a2f8dd237944f001a19ed1153057266ef5c660311e73f79e0e2bfdd61fc7cf6
SHA51239cd90ebcd2d470c0f769e3a626d09e8923632c9f486ae732498a3fd6e31559563e384d6c6b1f70d642298a1093dffa738abaf725b6c0f77e4d49b3034b2e748
-
Filesize
4.6MB
MD5ad00812475a073e1a0bde9aeb6b1a286
SHA10b1cdc6b443d44fa3cfd2ce56eaa68f91af3bebb
SHA256dbee39ca5a591b0a76cb035b1d30322525d1aaee52d8ab4d22acd54969559a95
SHA51279e07916e2777816e54c940fde9ed5fbad49045aac3a7279b5aa3aeb84cfd5b884a9ee59f2d0ba6a25f075785ef9ebc56f3161666ed5f738c3f7d323f9683431
-
Filesize
1.5MB
MD5dac8ffee3cc945b86ff90391296d89a3
SHA1fd4f0cbd02b7d08f49891cde101c1423fe492512
SHA256528ead826abee82073de4c416f18b1575758dac787028f163121b936805930ff
SHA51207845e3dd64f795e6efba3fbee2a4a1b9858b71ed5de14fe762779e2d015243f64ebdea9926253f21e00daf7a7db573c5cb2b7434abe35bd30089588fd5f58c4
-
Filesize
24.0MB
MD5083fb42ab70cc75550945a3d817d7124
SHA18f435d3de08d7caa22cbaf525a5a505924fbd60e
SHA25643268a50df1ba349f201e3ed3109fc9094f643c6aafce3a1c31ac1bc79c7f5dc
SHA512f82824e1c4ee1f6b2b176aa3326f3c4dc60d3cbc43cb7d7d92e39328d467978a95fa07f39a75b5b7bf793809f98709b78b426302c40680cf45ca4c8dfdff1dbf
-
Filesize
2.7MB
MD5024574c10aa6cd774232a8a1d12a2d7e
SHA115531525658e5911a4b554ae86de87f4afa75612
SHA256dadff3b74e7e05f467342c99ec2950ad585b3b0f6bc58476c13cfd737a25db74
SHA51241f443442912ab323a144581483c4c36058182bd8f8661633088de89e1dc38af0f251a51b6c397421dd987caf0c4019bcdb53517fb3458f13ad0d5cbe2b53df7
-
Filesize
1.1MB
MD53060f8614fd7222e968d78ccf61ed826
SHA10984db05cc483c357f224575390aef97ffdc6c1a
SHA256c243e9bccd724726b8cbaf2af78cc6146830489186ae85c5bf6f3bf99e879076
SHA512b027bcf32258f7b2faf82f387ca9572dc2c2a0ace04ab1451a10f176169ef8c1e2166a891d2b6c34c8a3155d770df1cb284598eed08c7818980a0d4fa5f4ea54
-
Filesize
1.4MB
MD56b9a8d93aa0bac7a0bdf4c6ec87cd4ad
SHA1844f336cd2716f46ca7737e2b4d9198436d121dd
SHA256a397380bd3a76b28f22111c9cd452f5a8f4acc654bcac8ba90d4abe1ceed5027
SHA512fec502114d9a86c8406763598b4d83ca28da675872bb6cb5323c87b4e0adf50b2637c000358ba61d2479061f862672f533c94e4e283b47c0cf081ac65c0e0a59
-
Filesize
1.3MB
MD58497e5457d2469950df2aee33307fe19
SHA16b131114d711b47efc2cd8b61db91c0b7c8f049f
SHA256a5d6dfab9dc759f675569f7c763976c87331e996c809831965db7dbd39f3e5fa
SHA512f2bf68676150b541b26fd0201c00e51ad3561f7b485aed4f14ebadacd00893fee0377885c366da3d71adff48b6275016e85c462cc04ae6db7f6f1a346383c066
-
Filesize
6.6MB
MD5d2f37ec98fade93578c17d7da4fd4577
SHA1176b5535bbd53bc2dc67c24c004969711fb974c9
SHA256436eb95d16ead43a6df7ad6ca7869a2e55e9d95a0ffb6d2ae48d12b728ecf379
SHA51278363961be73a5dc17cb6f6d5a0912146653989f09078a052aaae25fc7da81b1d404796177213a1c88fce88d9da383f76fc6f9a2f76b6a010570c06c5379d850
-
Filesize
6.6MB
MD5f7e684430c54f43e261eca86dba94701
SHA193b3dca9af5b8bac30d178dacf0e6ed5f3b98af4
SHA25602b5fa61d44061161fa0c88a0190526c5309c34c672d3954b3549166af1332c5
SHA512dc377b26943355763a5d7ce99bac32bd06d44657b1a272b9911b7f11a0d9d8217b3c3d40cdd5b1373c42b06e5c5b02a114decc4e29718cb6044a6417f2d39976
-
Filesize
1.9MB
MD586996b40c618bf5a4faa0f76af9c31fa
SHA1d612a70ee8a7466700d5ca5de18a2a3f8cbfe661
SHA2568584363a77e85957560e8afb990886ed8e13f61ab5e275ee032ff680dd35fff8
SHA512b5239ff391867d3bbc04fd5d3d28601c0da75a10af63626d48dffd0059e2b65cfeadfcff70f35451f9b4cdb7fc9e72bad4c416247907409a4288674e9f86c2aa
-
Filesize
3.3MB
MD5e0701512564d3ca1efdc601d12915c03
SHA1fbd428057ff92d32c2cb0f9a15959e415c7c7894
SHA256463ffcc36be6800fc994a88b6f23bb41c22dc9488c005468c85cdf3d2c6a2952
SHA512d517e81cd0c1e733437bfa256af693769f40405e30faa452c186c4fe06a622af291ab24e87eb513222a355c269fc414f5ed588ea4dc79bee7ae71b5428c01a78
-
Filesize
2.3MB
MD5f40f610db70cb99b488ec98d2458d66a
SHA1489c6ccc44bc685c0c7118da5c045cf693520494
SHA2566382a9518e2cd7bdc3906c565f297ca5148e6d9582c7226d78d0f7a8524a9d68
SHA51223540a74f64e20e6c65b8d9e231206450ac58cc9985e80613f29a975a1f4b1a0a8a623c98c5ee443aba1017049c9d262da8c626f029cc6b19fcf3e61c3471a31
-
Filesize
1.9MB
MD5784c2e4aae4daec464bd3a7c4b991035
SHA1b88cf9fcf7256d1762ade27f8bb41eee89fac486
SHA25600082e1f1a9645fd0b5bff732fe2c8768e7c2c9e47036ded5125320ca682dfbf
SHA5125ff5879b5eac7efa4d3a0995faca0673578126d9f6562e8c334944dcb56597c036442040672bf642ecbeabcd798d9a1a2f22f355bd58961f73e36d65a7ebacef
-
Filesize
2.1MB
MD5f2dcdaac55ef19cfad20587205a80e2e
SHA1660393bf8d90a0f08a5425006f32b3d92e75893f
SHA256a516b73fd5aaa17e147c167478febdf07b8e1d680725b1088521e77178bf2d83
SHA5121a18a5b5303071bc9943d4a39ab4175bc064503d452b99d2c8962c499c05cfa70887c485aefd7f0ddcab21090ac22b3d02fbd584088ff07bb755a02e2eaf5451
-
Filesize
1.6MB
MD5c65d256cfb333fe66cbf138a53e353e7
SHA121295615f9dbbcaaac01f0712a68d739333bf1d2
SHA256db8f69ac0dea6f7c8904628e6b74bc1060ba5194ed70ff3feeac6257a2445155
SHA51285fad14a7cebd340b80dd358343f2e7a19c111780665ffc9c082485d32dc75f7c02c98fa61df706331f356a8276207b74721f107f599dad74494d547b865c65b
-
Filesize
1.2MB
MD547cc27f01b5d611caf1591203de3b003
SHA19a28eccee2498dad6bfb5cd20123a918b24abd14
SHA2560c10db14ec8ef6589731af1e2489e49339b8058fb1fe21d050f1ad7c4f38c0ca
SHA512b4a2d7d0b1392e6bd9324b61ddbba527b112e7a4a91d09c61c29d0731146eb39fc7afb084f0d056634f73fb41b7c009b0136e89067259e31009b6785c711f38b
-
Filesize
1.2MB
MD54ca17b94f8e405e5f9e4087fee5700c0
SHA1fa2a976914c70d9dde18c8143099249110ac96c4
SHA25650fae4c420a8e0b77fa1b84ac498dda638f8366e79b1e4795bbcdb7192b70859
SHA512e375e18a60dc94d16788f8259e6fa584ce5e9570d1c7b44755cbefeff8a5af70b09a8e46531866164c55c1cf0097cd4194ebfeca7ef2efa0bf4fb16c9fd27476
-
Filesize
1.2MB
MD5194655948114668c2248b55696ac6b23
SHA1aa49051b38b2d6b1958ebd9e20f4093026c5dcb8
SHA2561d96ddb36a0ec8f4c9763a19bb1fb89909010f48af970d97a0407543c62b4198
SHA5124de48b9a7fac4dff1d485016883a39a0cb6c4455a383d8ed13e78e1a6798d814ac22b5319aaad046890bd85d7d904233a2a0bc4f65737bde3f9780e13fea3469
-
Filesize
1.2MB
MD595d2c5f8850ecd649361fb57a3603359
SHA1bd9104fcb1525930c8a9398fbf8edb20e26463b2
SHA2565e1da27460b5b024ce0b21768c249115efc8bc2e0923c7e1b0f644bb7b4a8cd3
SHA5120ef9588aa0fa3368ed7ef2b755a904e294c9e2e6a73b8a5f273e664ec35e1613ab8a894a14a8a60c82adfae9e53d6e8f8a59686d447cac7b4da3c652d519c365
-
Filesize
1.2MB
MD5639d96a36d7adabbc4e5f8ae12dea9df
SHA15e78e19acffa525eccf57d401fb8c649e9da279e
SHA256efc89b50016592be44d43b773f136265fea7f51a37832143d5f48197bcc1d8f9
SHA5120f5ca351f5b6e977b08d49a917089fe5d759b6866984bbf298d360ff8c9e3e22f93c2f529a60ba38116b66292672635a1b11ea78953ebfa6830ce973bf9d14d2
-
Filesize
1.2MB
MD5cacb2a7a974ae94e813da443bd74be78
SHA1faa628a64750b8870326588b8129e47d2aecbdbe
SHA256cd03740f7e3ee4b947be19bbfbb17434eabb882442b7a002a516ad23466ef0e9
SHA512baabf3a990870d12b504dd17bc202ab07c5ddb788d0b109164bc1f1e14ac7ad73b5820afbf33b8259dec42f0ffd23fd6f8b2bf52f2d157079f846cd8378fa989
-
Filesize
1.2MB
MD52087ce7a5a15e7d58161b86d444a4168
SHA1c77468b767fcc680a7250ec0295cff5838958f0f
SHA2566746e96b6f144abf537665f97e9baa98eb80b20203381ceb1c750d6a704dfe84
SHA5128639978a7287f8a4d2358ea48c74c37b3f54ef78f2fe28c57c3fba425a1566c6c5619313f898a39ccfad32eefb69bac27db856573ec5e1ab339e88ae06682517
-
Filesize
1.4MB
MD520470609adde7e489e65c7460d5581ef
SHA1b43e8d953a408dbcad2fc3006bdf3cc9d0e09d87
SHA2567e1774109747a37f27d008c9c29371402c5fca5c0b432593851cdcf7cb7e30aa
SHA51286c64fee9c9502e30edaa190729112a475eb1e9eff0887fac8aba69bd49960eff33e37c642f77458ee178af2b4d9553fe3c0ff1000f597eba5344931aae8df8d
-
Filesize
1.2MB
MD58583f5bad7ec16abffb90d403c518af8
SHA14978b139a9eb198c087d74c01daeb2ca120242da
SHA25668a768d9688c88d0879e8d829d97fabd610e02e98e5476396d45dd0fcc9a905c
SHA5127828f9218fefd88afaea953a77653f93ff66030a697389e2fb52f723e93f45324809d9d472b8aa5c05c709fbc0df0331b77f6d8c200143b002a5704bf94f15ee
-
Filesize
1.2MB
MD509afb8ca2c0e4624803cbb446c9f1bce
SHA13866670df7a31ff218213e797213191f33c6aa61
SHA256fa19df5a53dc8d8856e5e843ea9c623b412ff3feebb2710b7725213f37a8e41e
SHA512aaf36913fe58b56eff7e62cd8fb22dbb8469de10cfb0f6382a15fc6181f85da96a9c97a3e5ac6411db14a04dae41291bf55c3e295e896e584400d2c4aa10fc7a
-
Filesize
1.3MB
MD581b4dac9bba526591760ba45b38fd83c
SHA1ea616a69cc56f3e6dbae34c33782d6bba33f47d7
SHA256af1f6668f2590a9a59c05bf1cfbc8df2e13a4ebf6324f9a86041642172b15511
SHA512be346abe2ba04c37166d0cd08844aabe5d25b76887dce85c4175c8aa850ba8782f2b522525e0efbcdfc70fb9f2572277714f8e827ca454901fe821092959813d
-
Filesize
1.2MB
MD53b115a2345fd5bf664c4b58752b528c4
SHA104d1e71596b909c56deef427b38b9d89d407e891
SHA256281fafe83156d8238bb5fa977a4b22a9118d3f2dfb81e57097aff53298c82b8e
SHA5129d9273ce737d79d6edbc1f0419e2e27179645049528111f5a9019ce8543703f972b6987976a84a2e67538ab4efbd442e38c7a7d6b50c5629bfa94da8892674ce
-
Filesize
1.2MB
MD51eeee6e0e2de360af9dcb01ef36e906f
SHA19922ad8960a913ee5cc6471ad8b87d49438690bf
SHA2568e5059a332072dd5787ee68daa0eac7e6a66c6419c337fa103b65029090e282c
SHA512fd0f343e66af61f8700bd508d688a714af8bfcb03918bf46b6b80bf0733dc9a32a66d6b038379334226a38f64d665feacabf3fbd645b0f86dfec4eab5a91adbc
-
Filesize
1.3MB
MD5bef7eee7b086a0f343f9bb7542cf0230
SHA14bcfffdeb042821a7f8f8c7ef448c825246c72ea
SHA256d7d8f09118fb49a85f38385aaa3491596c002f4b8fe31e3848e2d91e46b605e3
SHA512b23144504bb5d37328fb52bd4d3d4f4336da535769e1f6bee515e120476975ed44e3eddcb1700b57b4f806a2bb3802ded4763e3a42b166bc4c8662860959ca80
-
Filesize
1.4MB
MD531a6e19402c96ffe6b1820c1de40ed8c
SHA10388edb0a371557946e289d647cba12db3592dff
SHA2567ba74818fe00567aa0910a7237c189714371f53de1e71202e613bbeb9935b088
SHA512ab15b5bed261c9504792554d5b0afd92cafbe019bbcb66323831d980aa6cae50bd84d3ca47bdac81bd86949849271a44fce70719e575ee72cd4fa2cbb19d956a
-
Filesize
1.6MB
MD522ede310135df17f7dd505b34f72cd0a
SHA1c4cb0966ce2f8016b64fee86198aa36e4ad3d58e
SHA2565e1475c49af9ba332824b5d6342229356d0446fbb487da30bb6398a96031e7a4
SHA512ae6b9e4a80b0365da17442c3c579899e154f1ec12340e3d96993e6a84f7727f9e8f2a9411ea498fc0772049a8e8534553c046ccc716c5e5d8806040841958ac4
-
Filesize
1.2MB
MD581121a7fbb53043c2294fa2c37351758
SHA109c4c6813445d73e9e600197713b6770e561dcd4
SHA2560a5196c7b64c01b0090e59fa44d1c11f8eb656ac6cde1570c649f7e9786f8232
SHA512c990837e52c2a4f83349ac4f234910772f8f3bfe15d5d0f443ed5c434d8b72334690e228bf72e2619ba8b00215704ba3a541b185a581b50307cd2f4949e87793
-
Filesize
1.2MB
MD577dd6d1ab9ce74cc02a0313c736de4c1
SHA1cfc58a28a3421d86401c3ebad5e024a7730c5ed3
SHA2563bfe7953de0c7dfe11883c65c59e68c68f4d018763a2576a926e5dde966e4150
SHA512aa594711ac44864592be61014445b9b8cd23466f73a237458be5a335260c56579cf9efe97337f7e842913b6cf0845ba7258206c241b757f923f6b93e20ca0185
-
Filesize
1.2MB
MD58fd16eb528ac280b8626cd398cc01055
SHA173e589df6c092c651a1a8d1c7ae5fd2c2c75976f
SHA256ad5723afe20d6c5049505b90510b9c58f43b411b297d13ba8c1e038b65f711e8
SHA512a7938eebab44cc492007702f5ca7e4396c773e5ec3c3d444b315b0a46559811617c4ebeee359a5225659375e9a47c872cba3769bdf38364bdeb079238259cf30
-
Filesize
1.2MB
MD5b8212839339888d3e3bce8a915fa0574
SHA165eee58147814a204e14759638fda323bad9d7c6
SHA2567675effa196a2462f02803f40ac7e5f446f450544bd0498e21e5f447e4a82433
SHA512035c3c04c7dd3d5589b61e480abdcf99b1fe827255fb8a4dea40083c43fe066b9360c4049f118054356bb849f49df07ebea503510dd2596002e3be19b358227f
-
Filesize
1.3MB
MD545a8d7964825bd658cd9db85d1afa753
SHA1aa58f431fc25aae2d1d177249a5a2eb0243277ad
SHA25642a36fb031cf41be4042b32b9282152bf5c326e5226633c32b6aaa4200302576
SHA51218631edbd5f27ecb245ec58822a5422c032c52cde75755659f31c68a113c648960167dfc9c1523f3c490e68fe9b48ae50adc9a65ca2bd587f75bfe8ae16f3198
-
Filesize
1.2MB
MD5914434e95afbadb63526d618ae987745
SHA14f4c61dfc288f0610613e3eb3f9d41aa75611770
SHA256647d369b420d5474db10a1dfe07c90e65c513120e05a9381035982a44363c7af
SHA51248832a2c97488a43b2eff224f195bbdf28610ce7cb38d12a032f728bc9fcf0982341be375c45fb9fce36d7d7f85a2eb29e7099b94134ed0981142448d9a3b476
-
Filesize
1.7MB
MD5cfcab7e107db550400991a398ef94133
SHA1ba92277625b1690db99b3c7468dcb04f311b7a4d
SHA256532dcd3fbae32e8af299e6e0b5f655dce069b63dd65dd796c920da6aa35677a8
SHA51253bdf9ad616ef434577167498797ec70cb91a48142b40d24822f6e3d156633e664525401174da349e8543d453621423c27908329f7d964d62cd45cfc112fd1a5
-
Filesize
1.3MB
MD5b4a5d653c9f28ee0a9a426356bd2a370
SHA1337be13cc1d642ffef3d73ccd1e50e8030fe31dc
SHA256c78463d97d728c27f479e1dee25e90322c34a9ef5f34b5badbb9f3d0dba6bd5e
SHA5121d67b8a0a0266a7390a3bef9a7e0ad021c6037d7778b591c2e4fbc6ee54c077b415286196298662d17d03defcf9fd893b001ecc9508a89d836beed32165552d1
-
Filesize
1.2MB
MD5f185431befb03ace0c6463e1c72e9c4a
SHA18be5c3b39ae0457ca726f8a27dd0ecdb71dc204e
SHA256a91e8cf34b52ef50c2a33540b50af7e1d88eba17c2095c235c8f286a20b00789
SHA51203acdd873eda9047d982be526e542601f8df9fc49f91661a7fe74f3113b9c1bf9165ba3eea04e3472b1ec9a1f430dafc9779a161f4976a8f00acd5a5350d572f
-
Filesize
1.2MB
MD575635642df9cf5b516b30d256becace7
SHA146ec293e92bbb4b9505bb908777f61e6d503f640
SHA2568a43e0c6e9a0c19c783d24618925df8abeee13c1cbcf9ba8c4194c2720c060bc
SHA5125109a605e5b41e8dfecf882d1f3a3a74cca613596c1bc920754884051a4a97464720e78c39787cea2f1162a6955ecbb139caf6af47f0e2896cc7d061c508c2c8
-
Filesize
1.5MB
MD5b6b4a8b9aa4934c05012017b91bdcffc
SHA1e8a6b48039f957b2b8cde1799443edd03e9ea0d6
SHA256ab1309f6784c0ef958ad3b275d8b958abf77437608cdcc4fb35300f5dac444d7
SHA5121fe5334da88da59b6d2821056227e9a27fad4f56e7f97408cbe230f8f5827168ac72d2d8e92e83f0bff63b637b34b940ced34c017dcfbbd0dd378ea0923adc01
-
Filesize
1.3MB
MD564679142adb8061fe3546f709143a93f
SHA115c6477f2cd18bef8e44b811d5f84cd341b6c07e
SHA25659ba1f7fc304c8677d6b79ce03153764b14b41a1dd8a3e6babb52987ea4d1335
SHA5121c9bc72cfabea2b3f1aa4a7866cc10c5e81c6bd7f1316032dca385c829fc3af2817890ca52ad5191957a9b62b65e84303479fcd2550b11f3d512823a00bb616d
-
Filesize
1.4MB
MD59474b902b0b331995e675ef573d4ab83
SHA1c5c196f6d3a0158736c7b9e585963d65ba016e98
SHA2566297999204e43e82c535e6964db1860a919cf591c34b641bcf2288df3851b3e1
SHA5126dc4c7ca82e654a57677d232b4a224e2a8c2f9dd2f9196e5b9783c766825cc94a657c0f2f3c20d34ae6c65dbab61e4e04255048fe4dd0566749726c3a9340f76
-
Filesize
1.8MB
MD559d3d3e31b3aca439f3be028e2ccf592
SHA19cb6c2f2b48efde1516cdd197cb6b1146cf1492a
SHA2564be625d054f39513bc425da47126d6fd18a7b63e9d53ae530823e4eb7a6a8ff8
SHA5120a607670e45ae150e3294975d01b29293f6f95905d5471f685b73b04f47cb5b29f4324ff0687795007a5a579ececaeae35cf5f0f01658144c5d4f526e11c818b
-
Filesize
1.4MB
MD59904d422fe61019759658be3b3d466c6
SHA1746dbcbd7b9679f0a284e32d141234b0facffe61
SHA25648edd2250dbfe88ef6662c344296e9d0ead10d0eef83e9bd705e68f57800d9d5
SHA5126062a344f5c9c6ae36aef28c76a22876eb02792e54a5f15669e3115bc4350fa0ebdc9c1a82d63f229dd7dcdbbe137a97321c22a058056e4d2c5869332b4d1779
-
Filesize
1.5MB
MD5ec5ab12a6a2a8bc184864a3498e47071
SHA11d92edd29a76fdb31c664594acaadf33a2322869
SHA2565a8930aa5792bfdafc8bb2b817699956670c561c6dd6b8a8d080492727d595e4
SHA5121a286c6b597267915b27ea8af75032bbe7e12a376c86789c8107e60b779c2a8312f829b582f7911af3b6a55521ded2b570d5a3c85791bfa11a431a81e5fd6101
-
Filesize
2.0MB
MD5729ea8d55457afa3e7b25e6256586d29
SHA1fc5aeecf8e49814f4c385fd8bbdaf85478100e48
SHA256b5f5500bdcf05c30a03dcb88d73e5a4184d773268034ae3f131869ff13c7863e
SHA512d9592b1ff0d24399d364ac16c4998fecbd3c06985c7c49e710f5060303feaa0a6789a56d644ef259f6c7a86b48f022002d28bfa846b7df4585b2b274e3ce0f35
-
Filesize
1.3MB
MD55ff0c2095aba0a79b04269463aa4f61c
SHA1b45cdcdfc83cd355ec2e374317783e018aa37021
SHA25674e3c697ca3470b9415495ea6d3131bec618a91a61920eedec6aefa83b871cc9
SHA512be4ee3a0a4582128d28909854192a2161c7e761f529e26991b84a0b7eeb581c0eaa8ad0d8b5ade8a00605c60b0ae287e94486c6086dbff80f4d97dc5939af305
-
Filesize
1.3MB
MD563573f9862cbd4a98cc79ba9acdcb04d
SHA100abdf44be90d0e01c54c9b8c100efaf50309fd5
SHA256089fd4ab8145395e21fc9f14a53f9acd202a6bc7044476fc89d210d5e557ac84
SHA5123d9af84ab4ed49861cf383e3341e2578db0ab8172546d5f7fb301a2ce967768f8c84bd30aca05fbb3f752382b452a4f2e709800ec7a8a6aba36c2a77a8ee3059
-
Filesize
1.2MB
MD53e3703673a94e04e3ced984912ca617d
SHA1e968e7b0af0199d47a2b28dd6f17193bf93875dd
SHA256ca92bc25ada6d00d333c234c2f6bcd7499839d526185680c140d65680f4c1eb3
SHA512655946a586a695e76f9629b1341bfe87f440bcfa75444ff58152a7a6eb844aca66819e5873ebcd6cfc4afc13d70342824f089af1b63b02f9a7c83dbc9098a0eb
-
Filesize
1.3MB
MD58a4635616db00353b14753af3ab7f314
SHA1be10add16c79591e89de3ec49bc540397ee0936c
SHA256552159225051527126fad4a5008cf1f498195db027c7a1dbef9abe1360707015
SHA5125a23d43d0a86eccc15ead68592b048ea36e7210801aa185c66b50677b796b82828a4cddcfbdda2fe3458786a737227659704d934dd4acc50c7b7d0a85ead19e9
-
Filesize
1.4MB
MD510267a5ead5a8808e6831841d716c91d
SHA1f94970df9bf9ade1227bd9dbaf9a774017567b3b
SHA25661af0b13b31c823d41fe3708310344249bcdbe960a39117db5e875c97f857a80
SHA512684b8926b982264ad083db3930ac94894a6ba9d0a886f0ff8a7848270f44943103706ffaa42eb8c80f524de39e54e5ef3967042f3d3ffea5102fa07aa932a87f
-
Filesize
2.1MB
MD58331d289c521f8439836af80cb341baa
SHA151437dd5acd849297c11820c6c82ba1d480b7441
SHA2563caaf3492b3dd3b600bb4a3148f04724054537e3ba46f812eb8f7db14d39cdcc
SHA512cdf52d621d1b53466ed2cf707c60d4a37a72a9825e67704b8fc5ba3229138fb598baa8c9d6da0e338a1b9b51705ed5cdcc63c42f76d7c1a0a0edc31c41ccedae
-
Filesize
1.3MB
MD508a767de1930420bb60c73ba53298675
SHA1d6d4c60688120ae5fc03c383de48b8911c405038
SHA256dec49aa6c3fc4b44bb47cd5426c869b53463ae3555207b8ede38968a0691bb40
SHA512e4678f2ac71414bb47180cdf89aedf6e62a905daf7572f061d661ba46613be689679314ceb5ced1d30bcabbf9ea3f3d913823f8e9ca7c379f138c56da2e6f347