Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27-01-2024 10:26
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-27_2c17180e563754924088d787c3d749f3_mafia.exe
Resource
win7-20231215-en
General
-
Target
2024-01-27_2c17180e563754924088d787c3d749f3_mafia.exe
-
Size
1.4MB
-
MD5
2c17180e563754924088d787c3d749f3
-
SHA1
e37f0ff908e3a740b4af61c058f73858cbd2bed8
-
SHA256
cfb230be8cace9576b63099b4d0212dcb636a736eb4cfe88f66261aadca2d541
-
SHA512
3b62ba433b8196272ace2d9e99da566382f7ba69cbc86cff950b7b67f6708f5b67ce6f5dae690dfd1760b0ef23d070116c7a601703533e8ea03beecad92250e2
-
SSDEEP
24576:VKVGgkEltbjzWDwCmTPPk/z5Zf5hz0dNUX:VKkg/SDwCmTPc/lZfuN4
Malware Config
Signatures
-
Executes dropped EXE 21 IoCs
pid Process 2400 alg.exe 2464 DiagnosticsHub.StandardCollector.Service.exe 3180 elevation_service.exe 2644 elevation_service.exe 2532 maintenanceservice.exe 3412 OSE.EXE 5048 fxssvc.exe 2428 msdtc.exe 4764 PerceptionSimulationService.exe 2372 perfhost.exe 548 locator.exe 1332 SensorDataService.exe 1832 snmptrap.exe 772 spectrum.exe 2180 ssh-agent.exe 3496 TieringEngineService.exe 3288 AgentService.exe 1300 vds.exe 3432 vssvc.exe 4068 wbengine.exe 3228 WmiApSrv.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2116 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 27 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\4ecd85fec92b1ccd.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-01-27_2c17180e563754924088d787c3d749f3_mafia.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-01-27_2c17180e563754924088d787c3d749f3_mafia.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-01-27_2c17180e563754924088d787c3d749f3_mafia.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-01-27_2c17180e563754924088d787c3d749f3_mafia.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_127968\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_127968\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2464 DiagnosticsHub.StandardCollector.Service.exe 2464 DiagnosticsHub.StandardCollector.Service.exe 2464 DiagnosticsHub.StandardCollector.Service.exe 2464 DiagnosticsHub.StandardCollector.Service.exe 2464 DiagnosticsHub.StandardCollector.Service.exe 2464 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 676 Process not Found 676 Process not Found -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1144 2024-01-27_2c17180e563754924088d787c3d749f3_mafia.exe Token: SeTakeOwnershipPrivilege 2116 takeown.exe Token: SeLoadDriverPrivilege 1144 2024-01-27_2c17180e563754924088d787c3d749f3_mafia.exe Token: SeDebugPrivilege 2464 DiagnosticsHub.StandardCollector.Service.exe Token: SeTakeOwnershipPrivilege 3180 elevation_service.exe Token: SeAuditPrivilege 5048 fxssvc.exe Token: SeRestorePrivilege 3496 TieringEngineService.exe Token: SeManageVolumePrivilege 3496 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3288 AgentService.exe Token: SeBackupPrivilege 3432 vssvc.exe Token: SeRestorePrivilege 3432 vssvc.exe Token: SeAuditPrivilege 3432 vssvc.exe Token: SeBackupPrivilege 4068 wbengine.exe Token: SeRestorePrivilege 4068 wbengine.exe Token: SeSecurityPrivilege 4068 wbengine.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1144 wrote to memory of 2116 1144 2024-01-27_2c17180e563754924088d787c3d749f3_mafia.exe 89 PID 1144 wrote to memory of 2116 1144 2024-01-27_2c17180e563754924088d787c3d749f3_mafia.exe 89 PID 1144 wrote to memory of 2116 1144 2024-01-27_2c17180e563754924088d787c3d749f3_mafia.exe 89 PID 1144 wrote to memory of 4416 1144 2024-01-27_2c17180e563754924088d787c3d749f3_mafia.exe 92 PID 1144 wrote to memory of 4416 1144 2024-01-27_2c17180e563754924088d787c3d749f3_mafia.exe 92 PID 1144 wrote to memory of 4416 1144 2024-01-27_2c17180e563754924088d787c3d749f3_mafia.exe 92 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-27_2c17180e563754924088d787c3d749f3_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-27_2c17180e563754924088d787c3d749f3_mafia.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\System32\DriverStore\FileRepository\ /A2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\DriverStore\FileRepository*.* /E /G Everyone:F2⤵PID:4416
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2400
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2644
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2532
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3412
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1672
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5048
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2428
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4764
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2372
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:548
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1332
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1832
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:772
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2180
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1680
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3288
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1300
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3432
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4068
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3228
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵PID:1668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD52bcf3ef8d15d302840d21f5243700082
SHA12cab54ea2b447159325f8ab1a293130c513c4bda
SHA25699b1bb98d93dc33d509aa19060b13664a559e7084d9d123bc0105ae8844e591f
SHA512ed75b541dd6604ffdc79282cc2a2e135453f64c373d3d9d131267918dc94800476a3e4fc3d78f5ab7a494029d942ea29854c8853ab90218081740082d6f97ccf
-
Filesize
1.4MB
MD5a7b99cfefa45b319d7c552d29065fe79
SHA11d669f3df80f87252ac8934ef314b73745f8045b
SHA25653434b92bc8ab59c5607df4fa31e699357c2d1330fa35af8e39ecb5996ead79a
SHA5123e6e4e2ba019550f1fe797ff70fc89e23bd8ccc9732c91cfe6cdfc04f4b36985641bda0bcc3dfdc0d3316250582345fc68e61fd37606de2642b651eb4fb2e347
-
Filesize
1.8MB
MD5094457354ea9f5bccc246c220be8665e
SHA13fa5470d57788e4e1b371d84fa5269237a0d7500
SHA256ee5facf243f5bc5aa173171eaef13039bc2a6a6d0753c1ff262e3b2c2510f593
SHA51243ccd3c1cb5216eccc5d75d480af7fd8d79c663f1d8d37610681e77786a18990296b0e0c9191429d6284aa358fec6cc0d98243fdc53d3dd5d73b32f007cb3db4
-
Filesize
832KB
MD5cdb8570846dcefb8deab8030dca14a19
SHA10d017f122877bd64ff1061a596a974bb305efd9f
SHA2569cf2396446950a4a4a71a1cb29b45593fba0e808b676bf225aee49c4ae6d6fec
SHA5128cde237a13c23a7a2b3ed2fb9c1921987a4c4084e4a0c113b6e3ff666d2560e8f8148b157e820d84c7e4450cd70fef9f5685a60e90eb93643f304a2a999e49a9
-
Filesize
768KB
MD5babea9c3eda973203845aac6eeb44583
SHA1d331771008c0818b7a048c8b22e70c4dd86bc4c4
SHA2569c998ef8b391447024270afcc4bfa701894e3f50c999906d934e3f6e8d69908a
SHA512b808d16e21dcc357f9c979ef7af4f988bb575dd4c548ca8090dc968846c9ba917b9640515387f5bde7cdbf7908823bae39a3acbc03a930a247563ef54be3e0b2
-
Filesize
640KB
MD5a850d18367477d2714ae6fb2dfcd550d
SHA1aaf1d4dad44967e225707a7416c6611a629f0720
SHA25685a27e2d5f22677792117c7e574ad82dc4d5531ae1d378a1fb5440ecca1b5c55
SHA512fd78ed42bc583098003c76e42a109a66a940e76864b644320f20edde7a8c56f592336407a2d8bb5296cdfb1f287abc2296d13460f64c1420a930c26c4bfb523b
-
Filesize
512KB
MD5958674847997e2f800e235d3296b16bc
SHA18863e2e0a3e0d1ee683eaf20177f2fa1deea775c
SHA2562402fa5eec8f3f23ad6e8df69376db406295ffa682c114cf268e5e56dee80d63
SHA512bca3c0c96b5bdd39fc055802bdeda6bb48ea08d41ab88a8d7e96dcd8a4a05057d253979eb609a49b32842b38063f221a44b94d925f6eeddb89d69e7fb08bc9c6
-
Filesize
384KB
MD513a8527d87c91976027c05e6bef8aa7d
SHA1746be6ac311dce3d6728318d6437245d8551583d
SHA256698827348a0e172252082f6862d14f95b09df91417b2c5d300c95060a0802697
SHA512c3005d2c4adc772ecfcee9a237bd97a385281b4c095c6da14c1ec76a3e48131ddab0684553dc2f6dec1fdc16065b3b67473bf290a21e3913a70138819387dfa0
-
Filesize
384KB
MD5a36014323d05ce3fd01ab37ae4661ffa
SHA1922177c75be887cddc67adac77320773b7ec550a
SHA256129b9eb6a91ccefe5ea9abd1ac8eb0b140cbfdd661351c45caa2e7cf92f473b0
SHA5124b79871250e485c30feefb2519cf1b05b1ca9f497f80354a89528f15ecb9812c218faa0b963a8302e97121be2f509d8ffeb9135bddb9cfa896b3d7037454c249
-
Filesize
576KB
MD5bf02a2cd5c62ca17e2973849662b26a8
SHA18e58755c8c415b3a966d91c54d91ef00660020ce
SHA2566d6b78da90db5d18fbe639d3eb14080cc75782aa0c6c487d3ea8f18423876415
SHA5122d8ca853c3ffbff38aac5d7843eb41d12cc5fe9713379ec9436dad04410dbeed440ac98a1ae6c64d72033f7a992f108079bd19a2879d50c73e2f55d63aec0221
-
Filesize
1.5MB
MD550e5521dbca4ee0a6520c935b0f2ad5b
SHA1c93c59e86a701fd305826aa3ba5a3f1081b7b5d7
SHA25622f38eb67d002aa3996762a39c269bca8adccff6a5fb0ea47eaca7137a435a3c
SHA5124efb588cc02c41320ad2e9462fd182202b72efb1c473ee379ef834e2faf183545a222da8ec5d2d4417f23a88b54af986f59797c20c1a2f5a0f45a83240781b7b
-
Filesize
2.1MB
MD5621a9b02fbcc1019dcc43fd5865f1c37
SHA10a4f42ce3363b6dcb58efe43dd224dd6aa83a779
SHA2566e2e556ecaf48b251a3ffd3e79e15454ebc0e87aa211b307782683312e27a505
SHA51280577f7c451b491650c5a096911fdf1ccbc8f6876e6e79a2573ab07cad6153361e211d436a1903fd558507d1d275e4698e9518b98435beed67749ce4464f7071
-
Filesize
1.2MB
MD5808734f92ac4979ea224114efda9a306
SHA16f76caaee0c3237f659c6c5aaad10abbe5754000
SHA256d3221cceecf92d052485ef978af1dffc15a4dae73ba1771b44e9633b1db2297a
SHA512757105833dbda943e67c58e80332b87b0fc7ad4f04111c9a7cff28f8454f543f2aeb9ed6c9c1aa24f87285fe31756aba573ad73640e8801c6e5b9ea3d886e1d2
-
Filesize
1.7MB
MD51e9e9a5d2304570110b714b54dad6c9f
SHA1a550905ccd7f9c98c110bd83c6cbcc9c6c652cd8
SHA256ebce0fbb183bfc11d63f104f117def18df9d3c42936f7a6e968cc70982a1709a
SHA5124dd4a12dd6ca9dda53d9dce934b4fba25204306606a7556e0a9dfbd043002cbc7807163e8ced0176fbb20ec308081aa22e6eca60cb301183698bc4c7c52b98c3
-
Filesize
1.3MB
MD5d05e058e784b439fd5dca4efd35cc262
SHA136b2fd7ca4f4577c088e746befbb2de63a294578
SHA25610f76ab16164120ee0602bf1731be154fffc0171d4e0e47471495619960292e0
SHA512054cbfa7515428a120c96ae320e3eb8d30573746d9ed3a0e854294110183ac48f0ba072a0c002219658d6ca8507c5962ce2d24b164ff4e70ca42f93737acae5c
-
Filesize
1.2MB
MD55b28f5378d6b9ab8e0e2fc0b3a4eae32
SHA1c31714590fe0bdf22b6aa78628057c4b3ba1f5a3
SHA256c261b7d4854c4576a4c677f8c015bca1b4dccf1b0430cc73d09dcb5abcb41437
SHA5123c1037dd5cbd325d0c80babfea5bc4a3480066d45ec5a703711cd20aeae781fce8d64ddb45c4bf925715c6e58681e1cfb0b5d1bacd9882b5a11e7a2d492db568
-
Filesize
1.2MB
MD5ca5238646132d61d45fe8f20179362ac
SHA1947dc573c2c0b9be63f1e5e9993007e97a2277ac
SHA256d7a2636c4bb28dc07324aef4a3a2fdaa23f089dd18ed010dea0eeaf4ba956d43
SHA512a17b5c7609ef4a10e64b73c2cab05b95e5702075a2cd1ba3f93ae2845ccfa18c6cfa703768544c38e56e27338fa0ed5b5599446ccae518bf426b23ea7e072811
-
Filesize
1.6MB
MD5b1c67c0286e290ad4794a9f5828fcfe3
SHA113cd040d793d2357e2a67fefe6122b34fb81843c
SHA25665769c657bf25efa2463287b249c7aa4698d472692b75c06d36ea78fd4350b4a
SHA51294945b38187e6d09602a632c41b49459cc0d968e59e7c0d3f30505bf1875e9d8012da4984cf603ada12b2ae42230d047c2bd36a749b90d32ff03edbe0f06e7a7
-
Filesize
1.3MB
MD580f3c283e7f13ecffe0d3a996021fd9d
SHA18f27a76369c87b7162a5a788bee4bf0d25226664
SHA25601e4ecf2c4e1daf87082c23d92951062cb9ca65abcbc2006bac16c42310a4ebe
SHA512cec98dfeac189052726f79eac7568a932a1f4433154b7c6a8331b4e0aed0404fe29d3b830bef22df72b41a6d60feba3c2da4a7eafa7da8e27d37d21bbbefff5a
-
Filesize
1.4MB
MD57ece9967247c7a9745e4da6e4ec7ed96
SHA1cd04e84d0e865e5983853c6526ad32ff6a7851eb
SHA256d4874f201637fb6ddf464ecfd1943e6d06a510a0b2f25285728e823aba3044f4
SHA512abeacbdd3b2d49a68d879380758249104e43150420519de9d1d22ed8de70bf7f39f23a3b6dbe1d9be49da244986c91ebb28499718559de0734401d1b246432e7
-
Filesize
1.8MB
MD5603cd95eef79283547dfde8a741870ba
SHA14730fdbe8357fd033e57915842e21412d07d1e8f
SHA256a298aa86c78f99eb2006b37b8a42935417abe9eafc0483a775233cba6b130e14
SHA512618980ddddff03bbc4bea165f9fe397b30ec15b139530d18d1f80b6eba8700e67d83389a66430fededaf767d7d4684eded21d14e3a79b30f9b2e88595797f762
-
Filesize
1.4MB
MD5001763b776275486bbe95ce906058f61
SHA18439e0f44790d32173e893e2c8b19d58ed10f01c
SHA2565bfda73f42209302b9ab89faa341f7c3dfd51b07c59a4ec81cb8a470afc314ce
SHA51235d41b76765b09b421adc5b65fc6deeb781e43e4c49a551f4eb133b237138626b8021af01f634724faa8185372b73e3e16c7f885c15f69964f8bc76c3fdf15af
-
Filesize
1.5MB
MD51e116be9a7299f333b1c628942abeea3
SHA1c77ab75086b44a7e9f139b135be2642a557d9d68
SHA25685e5b9555d91c54e4b47fd7b6fb9e9bf99798f3b47203e6cd57d5c9b5559018e
SHA5129f3c111e1799d85b799ed424e4133369784d91df0dcded728bfe56d576838c1529edf62d45d824244070aec07580632950126b5c55894d7bb2961c027cc45d29
-
Filesize
2.0MB
MD5ff76d34bc74e55fd8c5296d7a463aba4
SHA12cb1637b53e459c70aee6427b19b6674d6f959b2
SHA2562ee188a78e1932c7b64316d6a0f32f620a075565d5c9f8725035299ff5ef947b
SHA5120208c6b9f9951738249a773d680cf829a280296d618c879275535872cd7b599bda6003610f1a4a63c1eb6f0efd701ddfcb7e0922679114f70327ee2ddda3b95f
-
Filesize
1.3MB
MD57e2488c2c4e67f01a497b74de85365e1
SHA119278dd7cc095e07d23f115ccbc7f4cd7aa2dddb
SHA256a76b9e292628305279bbb6285e88779aa3ec558105ae5121af53841aa291b116
SHA512d4c0da9b187a7f6bc1cbc48aab3d7e2f26882cb5cf909bf8da6e1b72b3913f15cc18bd302dd4c83353744ffc6de9fc9c4cc82425e85fc07232363a49594e79e0
-
Filesize
1.4MB
MD514566409e57317896bf871443c5a1460
SHA16470129aedce138a2e53d04252f1a443ef2da64e
SHA256925bc7e9160d296407f05530d386eb67f804b17bb140e3576d88c60e7060e8da
SHA512e90127582074247ab2230ce52bcf45e197489cceece44b2084032837f09706092f86177f09efa3edadb308812a7194aaa5bfcc4c76a669241072d643050ed8a5
-
Filesize
1.2MB
MD51f605a0aa582221d2fca249fc4ec3558
SHA10a273f045e5eb473f3449f2eb5e91f2db2b88810
SHA2561d20e74f533de1b3109bb406e6c21220381db71c31b1f083407c08b41c20de55
SHA51265454f77aab6ede16f97818aa784031de199a122c6c0b02e82fd565592d6e890c5e9e82bb6d56ad7c56647e157b4d8e6e28d31e73aabbb9ab6007a2eb083b00d
-
Filesize
1.3MB
MD572308cf447799955ce0f3891fc6b5446
SHA11dbed5d670bd758cb800eda08b522ca5ee0a568b
SHA256e168a80e1e5e9d9003055790ed0edf29fcbcb9a0da27dc26ed15ac0d92ac5199
SHA51220993868984ca1ac31ef4abf1b83d0512e19100fe3e13946468fc3d3b569eaef5f96be326354cd835865afe93c8627ffad7fb85b3489fa62191917461118560e
-
Filesize
1.4MB
MD5739028d5173f30e1258499d5da472e24
SHA121c4bf72030d91ba7e4156a0308d9ed0438fd0cd
SHA25637bf180dee9a2082fcdfab0fe43c694376cccda4ec7e334221405be5a5f84659
SHA5126535642f15610ed449a7591a9bb1b6bb198b374d4789f8dcb11b8add5be5e8678cca5edaa413df3fd7ca51ebdbda68872a083c9345204b40cc7063b6294a11f4
-
Filesize
2.1MB
MD52b3e431a777d4a860bf852c4b91125ec
SHA15a8779a183d4393135c722ec06a307491297a5e4
SHA2569fc27409951abae65a92f5bb6484451a43ca23aa69c6bff53645160ad09bfcaf
SHA512a0ee30b706870b8282a2a9ef12693c4ec497cc170c6e551dc486d2143f89cced815953945f934f8269995e21daa6fe1b3fedf56e5be8113c365ed61abdb982f9
-
Filesize
1.3MB
MD5efd0da25d152f7a7cc042d95e825a3b9
SHA1e1e44d8da5135bbc8a08d5de6849fc86fb11d609
SHA256459c76864f5b2e863f82b824b8e0c715b2268d6c598958b49956de372eb03ff5
SHA5127d6716796fb0dedbd93b4b43d728fa4b44878fbf48bfb4b03c9d1d2591cb989eeddf7e8bbd3988504f72dae90df2bbef92475d612e99dc63996dda787a6cbd83
-
Filesize
1024KB
MD51c7f17f86b6924d4b5808ebe7945f82b
SHA1ab5178220e5c19fdb00f5cf1b2b65656dbd63c76
SHA2564ab3caeee921b0a3541aa41249b593b389520eeaeab26bb46c6c4d31ea698bdd
SHA51257ca5d9e6b2f8f6dff1c074c94f6422455211acf1e61e56de5560f58e65ac2e134094c9ece336e781b25f42427119eefe15537b925be0a3806d8a78301f9ecd3