Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
22/10/2023, 17:18
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.4101b306a8126bd0060a1ed5685c5460.exe
Resource
win7-20231020-en
General
-
Target
NEAS.4101b306a8126bd0060a1ed5685c5460.exe
-
Size
5.5MB
-
MD5
4101b306a8126bd0060a1ed5685c5460
-
SHA1
5530c0965492dbff4727687d2e22b49a679b6f56
-
SHA256
386026d0c143b9744e97a431690f3abfb224a889b46aceca10bbf433729c8b27
-
SHA512
fef173ee0085a4d30929e40608e7d7487d6af5255cf74fdd3561a8ef39f3870047a60277c6830972fdb13773cc06add10b2e2791a936177462b6b17a88e355d8
-
SSDEEP
98304:fAI5pAdVJn9tbnR1VgBVmNNEex+u5Ck9:fAsCh7XYyNX+uf
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3032 alg.exe 5008 DiagnosticsHub.StandardCollector.Service.exe 3808 fxssvc.exe 1848 elevation_service.exe 3056 elevation_service.exe 2332 maintenanceservice.exe 3608 msdtc.exe 1964 OSE.EXE 4792 PerceptionSimulationService.exe 1496 perfhost.exe 5148 locator.exe 5180 SensorDataService.exe 5228 snmptrap.exe 5296 spectrum.exe 5412 ssh-agent.exe 5556 TieringEngineService.exe 5616 AgentService.exe 5656 vds.exe 5700 vssvc.exe 5772 wbengine.exe 5912 WmiApSrv.exe 5960 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 26 IoCs
description ioc Process File opened for modification C:\Windows\system32\fxssvc.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\system32\msiexec.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\system32\TieringEngineService.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\system32\wbengine.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\system32\AppVClient.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\system32\dllhost.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\system32\dllhost.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\system32\locator.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\System32\snmptrap.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\System32\SensorDataService.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\system32\SgrmBroker.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\System32\vds.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\System32\alg.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\System32\msdtc.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\system32\spectrum.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\system32\vssvc.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\system32\SearchIndexer.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AppVClient.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6e64ea0b7a240f41.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\system32\AgentService.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_153718\javaw.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{4D2DBF58-BCAB-45CC-898B-72432E8740A5}\chrome_installer.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe NEAS.4101b306a8126bd0060a1ed5685c5460.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 17 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133424755947227596" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000136f1c171c05da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000045d28171c05da01 SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 2116 chrome.exe 2116 chrome.exe 5172 chrome.exe 5172 chrome.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 2188 NEAS.4101b306a8126bd0060a1ed5685c5460.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 672 Process not Found 672 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 2116 chrome.exe 2116 chrome.exe 2116 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3604 NEAS.4101b306a8126bd0060a1ed5685c5460.exe Token: SeAuditPrivilege 3808 fxssvc.exe Token: SeShutdownPrivilege 2116 chrome.exe Token: SeCreatePagefilePrivilege 2116 chrome.exe Token: SeShutdownPrivilege 2116 chrome.exe Token: SeCreatePagefilePrivilege 2116 chrome.exe Token: SeShutdownPrivilege 2116 chrome.exe Token: SeCreatePagefilePrivilege 2116 chrome.exe Token: SeShutdownPrivilege 2116 chrome.exe Token: SeCreatePagefilePrivilege 2116 chrome.exe Token: SeShutdownPrivilege 2116 chrome.exe Token: SeCreatePagefilePrivilege 2116 chrome.exe Token: SeShutdownPrivilege 2116 chrome.exe Token: SeCreatePagefilePrivilege 2116 chrome.exe Token: SeShutdownPrivilege 2116 chrome.exe Token: SeCreatePagefilePrivilege 2116 chrome.exe Token: SeShutdownPrivilege 2116 chrome.exe Token: SeCreatePagefilePrivilege 2116 chrome.exe Token: SeRestorePrivilege 5556 TieringEngineService.exe Token: SeManageVolumePrivilege 5556 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5616 AgentService.exe Token: SeShutdownPrivilege 2116 chrome.exe Token: SeCreatePagefilePrivilege 2116 chrome.exe Token: SeBackupPrivilege 5700 vssvc.exe Token: SeRestorePrivilege 5700 vssvc.exe Token: SeAuditPrivilege 5700 vssvc.exe Token: SeBackupPrivilege 5772 wbengine.exe Token: SeRestorePrivilege 5772 wbengine.exe Token: SeSecurityPrivilege 5772 wbengine.exe Token: SeShutdownPrivilege 2116 chrome.exe Token: SeCreatePagefilePrivilege 2116 chrome.exe Token: SeShutdownPrivilege 2116 chrome.exe Token: SeCreatePagefilePrivilege 2116 chrome.exe Token: SeShutdownPrivilege 2116 chrome.exe Token: SeCreatePagefilePrivilege 2116 chrome.exe Token: SeShutdownPrivilege 2116 chrome.exe Token: SeCreatePagefilePrivilege 2116 chrome.exe Token: 33 5960 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5960 SearchIndexer.exe Token: SeShutdownPrivilege 2116 chrome.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2116 chrome.exe 2116 chrome.exe 2116 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3604 wrote to memory of 2188 3604 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 88 PID 3604 wrote to memory of 2188 3604 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 88 PID 3604 wrote to memory of 2116 3604 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 90 PID 3604 wrote to memory of 2116 3604 NEAS.4101b306a8126bd0060a1ed5685c5460.exe 90 PID 2116 wrote to memory of 2656 2116 chrome.exe 91 PID 2116 wrote to memory of 2656 2116 chrome.exe 91 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 4268 2116 chrome.exe 101 PID 2116 wrote to memory of 3264 2116 chrome.exe 99 PID 2116 wrote to memory of 3264 2116 chrome.exe 99 PID 2116 wrote to memory of 1844 2116 chrome.exe 100 PID 2116 wrote to memory of 1844 2116 chrome.exe 100 PID 2116 wrote to memory of 1844 2116 chrome.exe 100 PID 2116 wrote to memory of 1844 2116 chrome.exe 100 PID 2116 wrote to memory of 1844 2116 chrome.exe 100 PID 2116 wrote to memory of 1844 2116 chrome.exe 100 PID 2116 wrote to memory of 1844 2116 chrome.exe 100 PID 2116 wrote to memory of 1844 2116 chrome.exe 100 PID 2116 wrote to memory of 1844 2116 chrome.exe 100 PID 2116 wrote to memory of 1844 2116 chrome.exe 100 PID 2116 wrote to memory of 1844 2116 chrome.exe 100 PID 2116 wrote to memory of 1844 2116 chrome.exe 100 PID 2116 wrote to memory of 1844 2116 chrome.exe 100 PID 2116 wrote to memory of 1844 2116 chrome.exe 100 PID 2116 wrote to memory of 1844 2116 chrome.exe 100 PID 2116 wrote to memory of 1844 2116 chrome.exe 100 PID 2116 wrote to memory of 1844 2116 chrome.exe 100 PID 2116 wrote to memory of 1844 2116 chrome.exe 100 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.4101b306a8126bd0060a1ed5685c5460.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.4101b306a8126bd0060a1ed5685c5460.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\NEAS.4101b306a8126bd0060a1ed5685c5460.exeC:\Users\Admin\AppData\Local\Temp\NEAS.4101b306a8126bd0060a1ed5685c5460.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2188
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa03d19758,0x7ffa03d19768,0x7ffa03d197783⤵PID:2656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1884,i,4788748296454809916,2588306465724322647,131072 /prefetch:83⤵PID:3264
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 --field-trial-handle=1884,i,4788748296454809916,2588306465724322647,131072 /prefetch:83⤵PID:1844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1884,i,4788748296454809916,2588306465724322647,131072 /prefetch:23⤵PID:4268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=1884,i,4788748296454809916,2588306465724322647,131072 /prefetch:13⤵PID:4476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1884,i,4788748296454809916,2588306465724322647,131072 /prefetch:13⤵PID:3088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4532 --field-trial-handle=1884,i,4788748296454809916,2588306465724322647,131072 /prefetch:13⤵PID:2300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4648 --field-trial-handle=1884,i,4788748296454809916,2588306465724322647,131072 /prefetch:83⤵PID:4552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4788 --field-trial-handle=1884,i,4788748296454809916,2588306465724322647,131072 /prefetch:83⤵PID:2496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1884,i,4788748296454809916,2588306465724322647,131072 /prefetch:83⤵PID:1516
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5124 --field-trial-handle=1884,i,4788748296454809916,2588306465724322647,131072 /prefetch:83⤵PID:1828
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:4272
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6ea987688,0x7ff6ea987698,0x7ff6ea9876a84⤵PID:2428
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵PID:2716
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6ea987688,0x7ff6ea987698,0x7ff6ea9876a85⤵PID:2584
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 --field-trial-handle=1884,i,4788748296454809916,2588306465724322647,131072 /prefetch:83⤵PID:3556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2484 --field-trial-handle=1884,i,4788748296454809916,2588306465724322647,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5172
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:3032
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5008
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1676
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3808
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1848
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3056
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2332
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3608
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1964
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4792
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1496
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:5148
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5180
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5228
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5296
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5412
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5464
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5556
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5616
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5656
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5700
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5772
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5912
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5960 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2152
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 7842⤵PID:3744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5bbe4d84acf1d2e45d85f55e97057514b
SHA1d4a10f4ab4621d2d65eff6a1e00efffc9cddf61d
SHA2566e7d5a80325f4c174f4f4561d3dd149e049c34c1967b02ae6c3b8c8d1618102f
SHA51277251dbc94d8911ba0fa1c67b8e5017746aa2e986ebfef76dd9f27efba1c20181e7d04f63761b7d450d7900aaff99a20382b643bbb62e12f46fe07dfe21ae2f7
-
Filesize
1.4MB
MD57e1a9537b6079623c005afbd4b71c5b8
SHA108f9ded04300b3b080b12fd15f8c4897e6a0eea3
SHA256f9253504a7382e9086498d24a7adea27a7533b173229bf0de2358eb0be5e5cfc
SHA5127be05f1f6f80d3a2b3ba9324741b5373fafd02bd5ac6fd8ce2144222281f89a8c312a0e0092e9a629318a4dadfe8d0a4471e61d93ac1f3fade46e9b960869a77
-
Filesize
1.4MB
MD50d8c0a2bfab3df3f1f58df88b546cf0c
SHA10ebef46e892f25079a03c3b788230644d299648f
SHA25672f26ee2ad8cb52f829f3b6ef87d78c266aef7e2d6c5e19bf2082b3bddd33a1a
SHA512ca6dfb3917f9932ab34e83db971f0f643196a6f81f042b612b11f5a92ea173eb594647bc3a67ccbb37c0676cc5e26db7ac54198458554c5708893c2d72ecedcc
-
Filesize
2.1MB
MD58588a1f13aac53acab9058b80d37f472
SHA1bb60b4ec750cfdfb3fd9ed2a7fc03106fa48f758
SHA256931fb75feea05ae0b7e8e23294c7cbbb6e2b7363d4cdde2999e88e9a11f6867c
SHA512f338b06b231432a76e81f07fb97322e263041bfdd814d48a6b3f02744d2860629adddbb2ec5059425f42b931fb28e14e2015643c3b9aaf5580f15f2c5d65e4b7
-
Filesize
2.1MB
MD58588a1f13aac53acab9058b80d37f472
SHA1bb60b4ec750cfdfb3fd9ed2a7fc03106fa48f758
SHA256931fb75feea05ae0b7e8e23294c7cbbb6e2b7363d4cdde2999e88e9a11f6867c
SHA512f338b06b231432a76e81f07fb97322e263041bfdd814d48a6b3f02744d2860629adddbb2ec5059425f42b931fb28e14e2015643c3b9aaf5580f15f2c5d65e4b7
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
40B
MD55bcdb318781c19c60fd1c01722509940
SHA11313e9c5e8e32847c5340fe65ee9053c3dd7ee60
SHA256d4ebe6da9932b5f036cf4d66c5eebddab7df3925b8d0ddc1f8de7bc7237b8095
SHA5121cfdd8f3d7947fa0b86afb9611336b9ac7e07d6a35775dec8ac293318ab3a0ee3c541e8a18298311461585ea174ad17b2cc576ed2cc84a1a29f20fea279f077a
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD5722d442c5e7cfbee125e6851662c72cc
SHA1e9bb4ea96fd70b582b0078b607553f5fe3057e3f
SHA256dc0fe123b8527ca46d205253b50492b2bd6ce038cb0493b5a38a4caccd0b608c
SHA51200df2140c02eeb117e6561536dd5813f4d8385623277b6ae5b925a9be594703efb8bd307840c595f1db51d9e3d58711edadd7c430c250e28301a71fad0d2a74e
-
Filesize
371B
MD52897cb23e6dd9a488c510557110cb0d8
SHA1bb2212c43175258ef03119b4f77c61b040507529
SHA256639d9d136e9326f76ff91e6311afcbc6683bd4cacf41e3fde75096da00821ed6
SHA5120ddf5e9c53ca64cc212051da8fd4b9411d9a8343e9a9aa4472d5ecc8cce463f8452f354fbbf962155c73b2f0f794e6c2ccbfd0b8928292840d436786903b6836
-
Filesize
4KB
MD5c86693c7d2e9150aa5814c5ad863e61a
SHA17006d843d0689e279b5b46c9c14da1fda2e60f54
SHA2561c8825c7ddd7df8d1c04c331915ecf6c23e2da0944f5bdd334c3e46ce95857a6
SHA5121ddf231884cc2f25290d82378786b3587fe14bb6c4bc924d7702164ee9be4ca2230a2ed51b848dc7ac52fa4d0cdbd3e93be9a0ba57b26c32672ef1feadc21c5d
-
Filesize
4KB
MD592419df2582c2f4e7481db08d96a2e73
SHA1f539a39ffe011489aac21580ba9dcb6369c12ec9
SHA25670ef61bda6a353995818be2700f895fc34fde366fd94cb73206dfd0ab9e5098f
SHA5128eff53c6588b3e986bfda718a6f383766248d92c5438499d98ca82c5246b49c718a314d66b45b9eebcac6f090a3bb521ff2985af8df135d37a4268c83ac2c3b9
-
Filesize
4KB
MD5fd2abac946df096d4f3c26f80c21dff7
SHA11a525788daf4c1b000d1adcf9e75f7f14e5750b9
SHA25690b8c227b371b6b4bda74355b2477b7eab4dca9040849a0617cdc933e2073fe8
SHA512f2559ed3ae9ed3aab65e77df50f8f455311b3044db51009bd8bf5cc98fae9417d94590a059289b6a03875f2211c926102d27df341278889c0f19eef3ae3c70b0
-
Filesize
2KB
MD548e4916b8a42fdc55194128cd6147500
SHA178461c8767ec60f1d9daa15efc7bc4baccad45d1
SHA25686f7c70f9f97219667c40485ab5cb1e830882a091a7f2e0cbf2c2fd2bb293a56
SHA5129052032e790b74ed4a0cb8e106cae41e205f7bc43c2ba61624537aaa1cf21e8ffd324f480e4a519863d83a66988ca634feac4db559e6e9e57daf9c07d5d56905
-
Filesize
15KB
MD5367f4fc7308a9c3875e8adfa5a37ae1a
SHA14f427f03383561476e200035f1a8b6e6cf2800c6
SHA25658ffd439dc4a8fad468988f0392f1f11c2584155f4819c614cbda800242521d9
SHA51210fdcd5c83216ee0ad8585f03e4579e96d20fc97c6a03de4829949b22cf3fb5784c21e82aee3e05ce4c2891f55aa93ba8fdf8c92b7cfe8c19bad3164b01ad870
-
Filesize
214KB
MD55e24af74e4a896b51f002f5df023c89e
SHA1f557864fd0fe97d20500de0d21cebf9115116eeb
SHA256acf7149c54b0621b969bab668413051be7fcffbb6fa7cf192638cce1c4047c0e
SHA51210e8ccfd46ec125914cf8062edf61b8df98023bc6295ec0b0198dc557fc147f3f52066dd09af39a3ad2c15c75c5a16dd4311fb43f4619d63dd653c111be41f99
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
6KB
MD53f78874d230a4eefbfeda3bc0402767a
SHA1d04f5ad980fc05bcfa7c88699faee4b1b818ab70
SHA256bee09d40ae07857bb07aae97729d51d464e007837977a9bbed53b3617585e493
SHA51249fbbba15ecde8073b4a1c3f454eac1472b96a23da97a1d85f0ca08a0248eaf2ed462915c1e0f60d98770ca5b6fd6208d5a8b2bb389a18607f7bf0dfbc3b9fe8
-
Filesize
8KB
MD558ff599e8fe48402eacec8051ef36306
SHA10b266ea827b33844be967233f361f0ea32bc4621
SHA2568e7283cbaa53ab9d71e005ff3a0289f962df601102500d61b431acc5dbcd4e95
SHA5124cd97f780fb0ed25abe600e4890e97613617cb88d64b9f6c3c44f04c61484efcdc8be6ead9358b08ca3520ffaa9cfb96eba4979c48bdbb2c25b61f9c44f91fe1
-
Filesize
12KB
MD55feac225c2c79965dae3c0d772776ce2
SHA12eff73bca2e073cf60a65102c1e0356373b64db0
SHA25643609f349617fd82a1f6fb8bda4f230d653bd18660ef66e4081b66fc77530cc6
SHA512887f0cf380c6fe8ce248529c6a9f28243ebe81e2809c614f40c00a1b0ce491001ebbfb21fcade240376612ca8ea1fcb500ee903ba78a821efda9def62844ff17
-
Filesize
1.2MB
MD5e8cc93ef64b13871cf33f1950c2a3202
SHA1d555c35ee6ec79101c9256f2341b1021b0cb0b1b
SHA256c33ff0c4109b6e59cb1989f956e71bd1ceedc975a387112569d9c4ca0dc62b08
SHA512f1f91218223b3db69d71c17bc10d7af711c719cd4b25f335f2404e3afba66bbeb2578402cda739772c3675054200feaf389fefbccedf38583797c391643eef69
-
Filesize
1.7MB
MD5aea867aa0618b05d485f61332ed07f64
SHA1e6806025f291e6a63e7121cf9117ec7df1fb7803
SHA2561f30a07e80f5809a4d02dd714e53c6617d53e056433050ece49bc20216b7733e
SHA512476daa3fd9491fa314cc6df9a53e51702149269c4ab081caed9be893b4fe5ec8536ae7c3f7179058964aee561c90ba6fa4c0221371abb6dd7b77a4db48e74886
-
Filesize
1.3MB
MD580cc43146a67a40166cf45afc5a04d65
SHA172715918424c701fc791f218dbe3a5aad539c2f2
SHA2565e1eccf7e9e630241e92909b3267a836f1d11ddfa961c3ce8723d7dc3b631519
SHA512a2ed251bb4631a14061adadece376ef8260d24e28d4bbf2bf603012c26e4bef80b5cd5a4fc512ecdce7600cefe59b053474a86097914d48f28a7fa3ce6d94393
-
Filesize
1.2MB
MD50d19299801b72ab702cecd1251852a6b
SHA1b690a312ce6cbbfee8d0e90e247788c018869f46
SHA2560405c6783f82cc3aa60797915027b7691e85884090aeab73be3212a89f473ffa
SHA51269f365a0a8d5cb58e8c91d7f9b832f0c284133182035448d3b07e1189e408ce36986405a44c9e1f988b37bcfa530950a4a82b72e06c935b407d81ec4681aa25a
-
Filesize
1.2MB
MD56ad08915deabc6d3e677564d9b492571
SHA1e3285d379fa744d82166b27e036b5669054452e0
SHA256d96f6909d8a863798e9d589706002038520a8ab3ab11bae3b830efa5fcc46218
SHA512ad34222d5f7f21ce3bfb49bea896d9d2997db2df08e6f98243de6d57c767fdf0ea665c03c519c48285e59e9fb5822dab2a834af2da382e764d21ce53ae24b1e3
-
Filesize
1.5MB
MD5523231c4314f66de0b8753308197db15
SHA1e317ac7642eb3e48875611d112fc23fb475e9133
SHA2562ec1905eca575143ccad4dece02a179fceef612bfaa67e68e4cba5b83fde19ac
SHA512bd91e6cd631e8bdb2322b64c299b3284aeed3489645817fffd2faf95b71ec675cf161220d86c21faabc8e4ee1b53d32e03994cbb863506bfc7f83b0437851583
-
Filesize
1.5MB
MD5523231c4314f66de0b8753308197db15
SHA1e317ac7642eb3e48875611d112fc23fb475e9133
SHA2562ec1905eca575143ccad4dece02a179fceef612bfaa67e68e4cba5b83fde19ac
SHA512bd91e6cd631e8bdb2322b64c299b3284aeed3489645817fffd2faf95b71ec675cf161220d86c21faabc8e4ee1b53d32e03994cbb863506bfc7f83b0437851583
-
Filesize
1.3MB
MD5ebb9aaf4c37dec70cb26f4112217dd51
SHA1bc298bf0ca38c2b829a90a9f5c1668cdd5317be4
SHA2565fa6bfe88b25260e6cd6418e169c314460df69bcd22f82889085b3c3252fdec0
SHA5120a4cd92843faccfad9d157a28e4ffa51244ec11f5c0ebac09c199a3af0f8fa166b8f2a7fdff21c081ef51c04a13645faaa0ffb2d63202f2987d8fc4fac7985f4
-
Filesize
1.4MB
MD5066e4b7c4ba840873e2eab5b180a3646
SHA142cb125fe08172cf41f381f5a1b0d667078e189f
SHA25629fbd8ad6544a89da37f4422feeeb1d44497a0d114174f69a050c7aef907d793
SHA5128b5d23f7f974bb3c178a2dd3e4456d26a9574eb58dcf3c56c36fa4dff7d1e67a48af74fc1d5ab37d5aae065c92f62a54045429987376b64cfb03ad4d3af6a4aa
-
Filesize
1.8MB
MD533a7189a8d742d3cb70a86276e74b6c3
SHA1206785c3683c95fc32c318d91344f52d7086ba65
SHA256ec85e7954006fcb061312c4e0d28633b2ff27407b3ba8aabcf36308df47b4811
SHA512aaeb65cc1cc5e52311462cca92142d8499989ad5bcbd051b63ed279da9502f5fd8503084e2eec08e7181ffb330cd39743870b2b957b24c1950899c877be4b4e5
-
Filesize
1.4MB
MD54ec50510770bcc2f4a098d96c9104c11
SHA1d07aab6c1f172481cc5f8c401381fa1912e58022
SHA256a1cc255f53c4cde9e2d2fcf11ecc244d455af1d0774b78b7017e4a948e8b8a3e
SHA51254e343690b7b00f486ec065e41f34e77c1b2111caf5027a14b4f6054ce74fddff15599d5966574e01ce04b66afa7dffeffc746cea30fb623b158f4d6bab27a07
-
Filesize
1.5MB
MD5fc39888c0e9f5f42521c9a07f6d47bac
SHA1afa22231487d28dd70c7d14db859cff26ab342bf
SHA2563438694325defdcae5cb693963bdacc750a607b1b034a2c3ad0da95ca72df90c
SHA5124f59224df21017d55be986baa25d6bf6c1dfcd201d6737986576f5fdf0136ba1e580b154a1b78c54e86e5b2a8fe92c742d8996a4f81b985a9ca300a3c40a9186
-
Filesize
2.0MB
MD50b62bddde72e9e55d823b56713afe72d
SHA1a4b22090f1db8436d0965a4df375b4c47147efaf
SHA25647ce654c842db789661f45a27406b8fee17aead950fbad5080e0fae9ee9de805
SHA51227c405cb5ff154b113ac9aa4636e653cf58f44cf6997de399bedef7e6f14b54c8344474ce3973d7bc691d30d953098d76071b4370338b9c5bc4dc688a97637d2
-
Filesize
1.3MB
MD52bd59b15f6c681bb5b2c7db89f765138
SHA1957d757839860dc52b0811f85eafc7f72915602a
SHA25645d25d4bffb3b57071ff1f4f5fac65c395e5bd3ce8cb3c78596ce3951a9904b8
SHA512b2c31851816c118a0443459969d59bc57e146ed2da77ed2c75dd850d5b05a13ef45ddcea1bbd2927fe5df2535386028226e248d5894422fd765a6f9891119415
-
Filesize
1.3MB
MD5c1ab0503514ac45e03650ba27a31f433
SHA1158b919ef2367481bfe90d5d1d65481cac106f70
SHA2569ac55411ddbf2a960fef9a098b71096db97ee024b30c22350c1d879a47252759
SHA512338a22985d7f4584438171ef4f31a60562ac1d360245e3f82f14874bd66aeef597ab20fb2ab15108dcc3efbdf683ddbc7f60828b9d5a320e03a8c27bfb84ab43
-
Filesize
1.2MB
MD5b2be5e61c05d556ff78a17ac9913bd0e
SHA17234cc8cc0d8101474f368863dcdb61994e51e7c
SHA256163e4e22b3abc8c0af5d5ca374b00f1524b15d0c65cc7b5abdc859eec1276295
SHA512ceec1f95417a86665de600ca9ff4147ca84fc747e7c55978e0038660205ab35cdf0478ee12f729c594049c3992e39bd511d4caabeb9de690129b22a99577d270
-
Filesize
1.3MB
MD59b696464f781ecc997a9ff967df32d3a
SHA104db23bfc832bb86e507cb5619494c231261419b
SHA2563714b424c52aac0a2711eec7c2359557b5b6d69b8671c8f612d21b3ca55a6bcd
SHA512701e1c21d0c8c7ee1327e948065776280418d6b513bae43451c434513129171dc40234060fb7aa2887a7f13d388b2b6486f848d36e77c71addbb69a3150fdbdc
-
Filesize
1.4MB
MD5e5c9c6ad4243ff2d3d3022a3832cadc6
SHA1969d8e0242ff2f7c75dcca32235ea56e048f36b5
SHA25654e2d44a7d96c360c873abefb15c90da477f4c7f24fcefabe755546ebbf0874f
SHA51252c74e5088e1d8a8efbafbd576d9f21fa7e3bf3f5d40a652adfa61dfdc02a6f34b3484cc52dce3849f2b3287fe626340b6f6be3f1f5a3acce9a23bb7485d3123
-
Filesize
2.1MB
MD54dc69c827a335cc73141821e3437d411
SHA17c545c9adf6793c42411bb0a8650c9c438355734
SHA2569f7bd846d5b8499a0edefaf3c3d8b61a2674d342ccb832692382595c4de2b0f3
SHA51213ce4acd8df19ebdf6982ff1d66a95b509684c1b9effa61bf08ede8793c3d8e06acf634fd2c90cbb1b58323fb9bff36e7370a0ac66f51fc66f526d97f8bc0da5
-
Filesize
40B
MD537a207f29f4ccb1560eff6ebf5567097
SHA1dd427b73a7a2f89fd4950d233a197c7bbed83066
SHA256dea1a251e79ebd623434ab88e903aa2462a6e989d421b0192fa04e4a7756254e
SHA512ea2d22f818f17be94b785fd4870f07eeb1871cc352b3e3acfa5df3249f95b1239c701fa88dd181f9cba2a79aa50721680cfff6720423c29fb092d36f1fedce13
-
Filesize
1.3MB
MD525b8ddd9f58748e8136260c680942163
SHA1945ad70f307ffb35a48977947152db8ea88bf1c9
SHA2567c6513ef25288be585056f447744575a367e41dea74ce4afd3e7be6779c29e91
SHA512b54d765d96e8490e5a8fd19a9f814b54da2d23549578a3d9608e4ba4274f2fb80b37c1477f6e34a737962b21739c5338299370af81af51f4440166e1650d9e23