Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 04:58
Static task
static1
Behavioral task
behavioral1
Sample
520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe
Resource
win7-20240221-en
General
-
Target
520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe
-
Size
1.8MB
-
MD5
bc56577e2d52df71394b539564bfabc9
-
SHA1
57fd99a67b8e88de86318ec6fe4d56653dd31e69
-
SHA256
520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233
-
SHA512
333a2e72dc5270b6c8ec5eeeba71839f6d439d4f5b6d954afd3dde81a7311638e29f82ee83597258b93605c070bf76519b716acd2b7f6335304f9b6a3e766db1
-
SSDEEP
49152:Kx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAGgDUYmvFur31yAipQCtXxc0H:KvbjVkjjCAzJQU7dG1yfpVBlH
Malware Config
Signatures
-
Executes dropped EXE 21 IoCs
pid Process 3244 alg.exe 1224 DiagnosticsHub.StandardCollector.Service.exe 388 fxssvc.exe 3724 elevation_service.exe 1640 elevation_service.exe 4136 maintenanceservice.exe 392 msdtc.exe 3116 OSE.EXE 2016 PerceptionSimulationService.exe 1356 perfhost.exe 2008 locator.exe 396 SensorDataService.exe 4384 snmptrap.exe 532 spectrum.exe 2824 ssh-agent.exe 4084 TieringEngineService.exe 4564 AgentService.exe 864 vds.exe 2452 vssvc.exe 4388 wbengine.exe 4588 WmiApSrv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 36 IoCs
description ioc Process File opened for modification C:\Windows\system32\fxssvc.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\system32\dllhost.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\98d0d3ee822cf6b9.bin alg.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\system32\AgentService.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\locator.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\system32\msiexec.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\vds.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\System32\snmptrap.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\system32\wbengine.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\system32\spectrum.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\system32\vssvc.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75875\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM33B2.tmp\goopdateres_hi.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File created C:\Program Files (x86)\Google\Temp\GUM33B2.tmp\goopdateres_id.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM33B2.tmp\psmachine.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75875\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM33B2.tmp\goopdateres_sk.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM33B2.tmp\goopdateres_lt.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File created C:\Program Files (x86)\Google\Temp\GUM33B2.tmp\goopdateres_mr.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM33B2.tmp\goopdateres_tr.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM33B2.tmp\goopdateres_sr.dll 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1224 DiagnosticsHub.StandardCollector.Service.exe 1224 DiagnosticsHub.StandardCollector.Service.exe 1224 DiagnosticsHub.StandardCollector.Service.exe 1224 DiagnosticsHub.StandardCollector.Service.exe 1224 DiagnosticsHub.StandardCollector.Service.exe 1224 DiagnosticsHub.StandardCollector.Service.exe 1224 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3276 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe Token: SeAuditPrivilege 388 fxssvc.exe Token: SeRestorePrivilege 4084 TieringEngineService.exe Token: SeManageVolumePrivilege 4084 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4564 AgentService.exe Token: SeBackupPrivilege 2452 vssvc.exe Token: SeRestorePrivilege 2452 vssvc.exe Token: SeAuditPrivilege 2452 vssvc.exe Token: SeBackupPrivilege 4388 wbengine.exe Token: SeRestorePrivilege 4388 wbengine.exe Token: SeSecurityPrivilege 4388 wbengine.exe Token: SeDebugPrivilege 3244 alg.exe Token: SeDebugPrivilege 3244 alg.exe Token: SeDebugPrivilege 3244 alg.exe Token: SeDebugPrivilege 1224 DiagnosticsHub.StandardCollector.Service.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe"C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3276
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3244
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2880
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:388
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3724
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1640
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4136
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:392
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3116
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2016
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1356
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2008
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:396
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4384
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:532
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2824
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4988
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4084
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4564
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:864
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD57ce4152859191f6e001bec228f5f1d2c
SHA1f3e7722e4dd3c12513bb03d3e20cd002d2cc23a4
SHA2564f5cdb63fefa361e794975b7ea285d0f31e1253b3fcbc7b8c30b33e941a14b21
SHA5124d6ec0b328c5a6318c7f898482d8213a35f1e20e75bb5852a7f522e67e9048f88cda1294cf5f92afe438f93248289139e0eadf48cf277232926bd274d68522d8
-
Filesize
781KB
MD5eaf4e224975a0412816c73d6473eadb4
SHA1b5ddd8811c854eb44d685b14b7d955ef0cc2e651
SHA25627e6639b3dc65020214d4f5b0c8627674ff196bef478385ee2acbf3f86f0300f
SHA51204bf296a40194063b8dc1eb7e934af3aeac7d360ca5b6fb251d580458a2b90cd59cd73cc98de2077b8aeddb3772457849fbdc14f63f211fd865c2c57172e2ce4
-
Filesize
1.1MB
MD5bea68761b68afe4197a30796798d4942
SHA14f8c5070b5df2cc50a4364f85eb35ae11078e9ca
SHA2566831b24b6e6270a6400c5052606060a3a51398302ec23deb03ff5a02a490fa11
SHA512097dff0a83fe097b2f910f46ce448fc6846805ec99cee5f94d7d26596515d0dc5b1095dcdf8e0ca6376a2c49a30931fd0868dd9234986d778cc9c0b0f5bda1ea
-
Filesize
1.5MB
MD50671e60d730f54c414880156dd736df1
SHA1ab0d8fd337109ecaf6d19a03a986d612ceb0ecc8
SHA2567c5372be0447eadcf99d6dbc63f72ab1645a398d546bed2e6431fc9053e3b984
SHA51263d04809716f23ff26798e42f6c069c723ac93e8ab3fcfaae483d35e3567997421cccad5ad60131cfc184f1bb1103649a4507f354024a3ab6d4358085bd00cf7
-
Filesize
1.2MB
MD565af1f23bbcc0f1f5af2dacfaa43b69f
SHA1bc0c5d69ba6078863aa04c83c1cb2754e4d83639
SHA256b40a62e5087e7a4596644f9eceab182631353f171ede86f681214f8f23fb147b
SHA5120a6d507f8e7559615f7c9c192f0935a03250a9acd6d1af7fdf302066792cce3a5847f4978fa66fbee92558eca878d2786ea9d13071952f3158f302c5e2c39393
-
Filesize
582KB
MD56f72a7dff29901b7a101d5a8249cec32
SHA1f2467a86ec2ccddaf16e746dbc528b58f17a9270
SHA2566aae04c46299d3d2864f29d16575c7f0747d839eb11873d27b57ac345d2f7b0b
SHA51238b3af08fcf40c3bc216910a06ab2234960da3335bfdc06963b90b23009893e3c0301036ff9fd4f822f8b838cc5fe7557ad69c9a1017658934e68b8af91ad82e
-
Filesize
840KB
MD59a9886658aef563133db2eb4e5a39680
SHA1d14e276b9a300b93bede0752c0df649d4cf5bbeb
SHA256a69e33ec04375099bfd95c0715eb4779db4d9556eff809e61b41e6043fe516a3
SHA512448a7bf5867aab51b940731229f87570344a4976a46c0526cbade234e270ef5df643d9d696e0ba12ecbe74a0bef442fe902078191b6dd1bcdb59cb021d0360d9
-
Filesize
4.6MB
MD51b29d28ed3e424e901ca8f7e5cc8f07b
SHA111806ee5668b74388000da454ab8fe8aadd9be7d
SHA2560adc5297d567ee60c2d618d288c2709be98afaf94d6b3317be6c027c8da260ec
SHA51258a232d001fb0f4f26fcff6c7071f0489684ec909a98f41a9e2c650e6dffacb8cff1c9297811bace0f2e4e8993d7952d11ccba1fbee3e7100040e26f699d92cf
-
Filesize
910KB
MD5a92cefaa22c66578d39317d7e60d833e
SHA1533d19545d46d1ced89417a7c7f5406a9c4f238e
SHA2561a084deffdacaee05a80ff1b39dfea42cc08de20dc108eac9884b3aa32c3f02b
SHA51281c1238650b001f161e8b22e1b43b0e6e5f30fd6a3afcf20bc4413921d13550db10f5e1c7c0aaffe77798eea7228321951aff9f707e05aa9a0277be83d2a11a3
-
Filesize
24.0MB
MD5651ee71df6cbe58fdcc25cf23f09a381
SHA163334a87a69d41cade2eb545762c7d563cbea724
SHA2561c0b2de09a79e6fda477b6ce05d76107cc573ad9e0d5c58dae9a87220168f057
SHA512d99456ebedff0be6077620d274b2823a01227139ad8330308ab700bb4a6b8ff4ffc83831c951458ef2f2bd1daae5df21dd4275bb6f1806262fef5534b4f6ef7a
-
Filesize
2.7MB
MD5709fcebdadf4eebc6de28487bc3aaf7c
SHA17f59b545b31b899a050acdad48aeff11fbf16499
SHA2564676b58ffcd3d7a89c985fb6c2fa8a6cab390831aac31ad9b5939d25ab05c992
SHA5128f0e35cbcce929585ab55bca2c42c52918b065f107f65ca0cef4f64ac6c085e5d7da43919051f971c0ac9c2d6cd28061890b851533d5e0e7a1c12ed663ecdf76
-
Filesize
1.1MB
MD5a32148fc1ab85d7612fbe7574d6fd3b1
SHA189140e6f00d533c7dfbe10775ff85d6efa462220
SHA2566581dcbef61a3f7e60004e41ad0a071ab900e3c1e2b47577338b2febddee1417
SHA5123260d50e56368d51c1a082a0e032c0ba6e1b3a3d20d3f215ed6e961c613b1bb28b303a4b43ed69dcae5c8b8da816678b9bb259115635f0e28c1d585f16a361e3
-
Filesize
805KB
MD5a8982764f167310d263c93d17412f75e
SHA17da386238a7ffed26c9c1a9d2d503afc1de32fc6
SHA2564dabf3d1be67d7bccbbd6e593e3df6e28cf896030255237b72006c940ea38b38
SHA5129704c58feb3c2e3ccd0638f81d339719efa4433bc4d86c28ea94cc403130b91cdd811ea5e2fd5981b5353b13f6a82f1021b39e6d7f90254049046d908b663299
-
Filesize
656KB
MD5cd944c9ea6d908422e35f51f5455878d
SHA128dffb4de1a3101597a303690caaaf6901234d4b
SHA256a9a61bd29e0f17c2ba2d5c5662af261d5bc2ae68dde3ae95bd9b2123ab3fcc85
SHA512034fb2d547b1a8db26bc8f3ba8c5b1397de9d6fa29d96bd7897c4f8d12cbd1fd8f6e0d6b9fda6d1bae2691a0bdf4210264861212d5539f91d151c14af0f99b23
-
Filesize
4.8MB
MD5d44f7900bdafbcc620db5a92aa3d1e9a
SHA107275b5d427870fd86a12c366ff76b11fc0fb24e
SHA2561f62768c920379f1b47e2a46e33b1a6dc28d086caeabcd5b0b815f55ecd36c38
SHA5122e17eb3cbdc5bfbeaaf23f07250c013e02ec378e52189097f76dc04f78611170c89a8826451219fcaf552f1c070833f5f5952b33d8e2aa0a361f5684a1c268d6
-
Filesize
4.8MB
MD516ad5d591e18a1bd48b70ca458674d0a
SHA18d86dee9903a406736e652645549b2a7c100de48
SHA2565b91ec8a7d274a83ee11f353589c6cdbdfa0fe4a11ee0f1ab535039963015703
SHA5122d902d98193067f27e0d831a7236c33d04fc174bb8302420da47a2a6337c6d2aa67a0fa0611ff1676f945a1d8cc7550910d93e8c0c72c4592fbd16243bcbda6b
-
Filesize
2.2MB
MD5b104a87e2c06f49e0fd37962c3eaeeea
SHA1c95771c3af006c1e720fd760bbff97f413199c90
SHA256dc7bc33b3d6f38187b9a8308c33c1b653603362b8f09456440e619913ee2c1e7
SHA51272f7d5680534d795039e384ba5635015737295b6573f117118d2d8ddbaad4ad172f243cfa57730ad9cf4c5c8ee694a9967258686f459b216de02e63785125308
-
Filesize
2.1MB
MD5c7fe8aa4bf05e076a17192a7d6a64fab
SHA11b2541e95878bc8d8c7c059c960d5b8c1d8b238b
SHA25698909b5558239f4ddef131c1ed0216a8e7ac8b9477aee1756c828d360c254d5b
SHA512aa0df0f741e87eb05b99b790daeae07f8b533833621d6cd0307f6329b6b32c936798d3ba8b0c31a803430084f9a6e0bb52e9c09fcf46f362a88f13adbf4e3671
-
Filesize
1.8MB
MD5a4965f8e5b2680f1a5f0d37a1ff74bce
SHA141d32f39a0fdd480d8c2d48e9138ed7ada34258f
SHA256b75a91e85687ab4a9646c15a88e503574796090c86997efa3b5215ebfdd29f90
SHA512580af6f6063b82328cae34419128a4844669d45b8f0fb6df6be1db41d0e61cc55a9df5e53584fff13522a825910ade10cfc905cec792afe1083dcabc5b7fc4ef
-
Filesize
1.5MB
MD5ff8f05f6ceef29f06fee9f8cd016670f
SHA124bd6ced48c2b5778f10414393de66c1a75596db
SHA25610526726ace745911632d6da33d59002de1770ff36e0d19edf47971d28072f14
SHA51290ddb3e79bc82c59fe450266d094e1603fd0b3745373818cf5676bfe2724c2695ec35fe841851fd68140cc14d74bd0cafdab149a975a9f1f3e71dfa5f009424d
-
Filesize
581KB
MD5d7c480c4bab2a6e88d01ebc414cab283
SHA1297d334dcf125256851b7e35b5be6d9ae1b3336b
SHA256223d7f02160e62fdbbf4d63e6d12fb2e173da681cc38372123c680b8b7455c9d
SHA5121ffea55d3c58dad1aac4601d887547166d6819037c8b464225da1e1b9517aa758d1a82e3b222d4d44b9ca2973233ae5b947c7df1cb5163a7d41fc5c73f4a2825
-
Filesize
581KB
MD530732e6c935872327dc8d1e01ce76ed6
SHA190a4c2416f405037ba86bfd629b989bb045c4e95
SHA256678d5ef9a43e6eec4c220718bb47571941d5a59c3bf0174eb6bbc60e46543c02
SHA512ec444f39a6a41a629da5a547a2cd7da50937e56c1a77e651833fec550e3aa7946e8afe0ec51bd2028df74858b3635a2f65181ed8540751c6417389a5c20fe369
-
Filesize
581KB
MD5161f49609e73d1ce1967c73c4eb0e30d
SHA14c2aeb01f66424b7f7d9424fd976de8299afd4f3
SHA2569458e81b6b515de755fd002035abdb314a45c480ffbafb3b6f7853134a467ed2
SHA5125d5330c01b3694ab1e863a8230840616873c7d31138c1403e2660579a1622a5f88f4a35311a7243d8795b758309b21ff0177df65d65303fdbeabc9525a6766da
-
Filesize
601KB
MD55b7db5e1651718670d4c87c0d5a90d82
SHA1eca1f1a6501f02cad6aaaf5c92dc33d06875e752
SHA25641aaad23f17952e2c8c699e789f3492aa047cb57b338e91e99a13c904f19d0fa
SHA5126602cdda9dd0d091376b5c2cdc910a3dbe0593ad1458d30ce209164ffbc84c4f306ed23744a43bfc29d9a574065921310b6686aa462f4feb6c67965cfc6dae17
-
Filesize
581KB
MD58eb9addb02600166b5ed0a09bcfd9b92
SHA142fc1f7d842f1b4e10413e2d65f50555a50b27ba
SHA25615b1cc72468bc48e4135b64f2d911cfdba51fe417c31b25e11c051ac3045bb48
SHA512aed0b6e1e986c48de28bf456a5de5e4ef36e74d65b48c5ff671c093c9b41207acc5c8b139283f428a68ae492dfc4e1eedf4fd04a18b17a9a3278e596468f2c79
-
Filesize
581KB
MD575801b261e8f0ee8654206ca78267448
SHA1fb10a59c5da7dcad714cd8e278d4e41abae3d49a
SHA256e2a4f57aa0f99eb15fd619f037a078fa2fd6b6afc9a448178b20e5f6e1d2a6e2
SHA5123d45bd4a43d160084d81b51d61d0c000c82dc84d736a1098db530854874f23c5b742d4606facca982742c92fcdbad2e20135ae6150fb55c3fb447c5c3b68d9bf
-
Filesize
581KB
MD5fa7c1df169565f3cfd1be0ab239bc5e2
SHA1183b830cbbadac1269dc135a2426892006b881f0
SHA256a1bc0c3bd88fe261917229e80d41925a5beec42840d7e3419eb736907e417f86
SHA5128a166a7563c7cd1248c75c1805ccdec19ce695220223320d4b9cb1d31a18b9ce965a42bfe3ab61dd8e45c12300ab2ddce8b32b21252b0d209af0cc96d6c70256
-
Filesize
841KB
MD51f4996102cd8b10aa01ef370574e7478
SHA10b32b17231079cced9b48f4d8b053fe93aa46489
SHA2566260178f4c8929c822acc539d4c335f8c1d852d7c13b2770153577224671c041
SHA512c47d85ced2327134bf9e41b85bcefa6470e15b81b9eb266fca33980a427f21ba8ac50aa65eab51f8733005bfe24ca6e3161e03a0d3acdf439bfd1596fd5c1f35
-
Filesize
581KB
MD5687afdd48595b21f1ae24364865d3085
SHA156a87bded1c21d916ed8506f2601cb3d7f8caa23
SHA256f0158ffd0f7eeccbea51e00545f48ae2acc76523a403ad4fd0c92f6efd719baf
SHA512d3f11c83882bc482896ed76f379e3066e3f4322d36a0ea7622d5acc8edc0579d544d6567294553577fe885a986aa7d29da5c0d799738ea02da154a280c2e2cee
-
Filesize
581KB
MD5b0e5f11aedb7edf11e74d0070ef2b32e
SHA12e82c08f8a490232ef32c46717cb5dbccead2af5
SHA256e1c3ade0c0c8bfc8586948ddfa0a482f6ff7655e1563661a341301916b71acef
SHA5122481b864cb4c37a7e0dbe49f17e5aa488be2bacbc29b98bf954cde859c6e941d368ac4037989f0926c3a73ce0773e7adf5630e019b609036623612d7ecc2293e
-
Filesize
717KB
MD5341718e41c9bd94b0e17c0d61d4dab1e
SHA1669e7701a327a20e236a33749e4d4adc61d42d6a
SHA256cf0b3b0de9e51ab86767300b51d3f352e9cde258fe09d00e0262a60a289c2a27
SHA51254ff1029e322e6582a9b9e6e01080789cc7f3b6f11a55c3129f76c9dd5eb799500186a49eded889d6499838d312ca43cdab9b32ae810c3f4b1c1e5b6b1b2a780
-
Filesize
581KB
MD57af785d2e419db356ed95c699e6f904b
SHA14c6b87ff7d82a2134492a42f77998c680ca477fd
SHA2569f9110ab703dcd5330ee04ccdc541b3cadb93940e182212b4323ad6781d32ad4
SHA5121947d71e8ced6c2352e1c24a1c0e434fad25a26564ec83c9e73bb0af60c401d1830bbb53d4e05d90712421b18bb72a06b29c1ee1c6fe0025f18da4c55d551891
-
Filesize
581KB
MD5161ea79ef1e8f250fe4e79c7875e263d
SHA1ddcc7af2eb12686388c70dccaf837fb401f6052c
SHA2564f18934da01e8ba662b92d87b5acb7b075b55852b9c616c9ff75554f6ee7e5ca
SHA512fc55e9248b811ddeb6a5032508df23ab896d5956f6e33a391c320bae9fbee546a57a7cedef457f6727c42c26477180e5ac9f24c394806c8d52c0e6c44aeec6b1
-
Filesize
717KB
MD5b2a1f915cd77a2b7a2f09c3ad3cdcf3d
SHA10dffd20ed10f2e356083bd861716d9af25c1c04a
SHA25645f13dc29d3a43b1aed876f1aaffa539a5760dfa3cded406bc3474a6a2d15464
SHA512b20ba58fcc9e293e390dcf6acab3fccf0cff0e6a4021b0725af4fca2f67cc0011dae209ba6d061aa5c3eb2d716d9f648df995e9efce3692add3c98c7847afb30
-
Filesize
841KB
MD5692f19af04a70b08d704251797c6a70a
SHA11a3be1776c3736ff5b04572c47a71f454bbf06ec
SHA25608bb956139c1878e900f7ded82576cb245a43d3c4138930c3786346c8ad990df
SHA5121267648305b8e11503c003194ffc6bee05d4c6d3ee197ebaae2acd01d7b2d89d9aa0cdd2ac36776e102f18fa03d139b7d5e5e2497e58164e9a1853a2a61155e0
-
Filesize
1020KB
MD5d3cc3cd61458e97ba2fab871b515a06f
SHA12bea9cf808da09fcb12ac5dc0e62f8a87d36971b
SHA256416587b2a67d258fc4e33eb32a34f92f5afe20a74d2d13f30624d1663c1aafe7
SHA512a982d5ad4aac7173af20e72e95c9269666d5f98985863688a7b65bc9852b7fbe895c1d1b35ee41841943e5b98af66faf260877d7f7425f7186560849dca88daa
-
Filesize
581KB
MD51efc21509570da7aa70a21cfcee8e42f
SHA14d493768dc76cd8881bb612c5fb0488a4e5a0c13
SHA25605d8355a20ad1f44ddfc1af59c7231be54e44cf2359fcd4c640d8f16320a9b8f
SHA51278d402e1f33d681e0317709db230ecf9a6d2270e4d4d49ae68d54a1b08a9ae7c86d7b320242e470a848b32cdd6b5ed5facaca86638126cd855453bde547d3231
-
Filesize
696KB
MD5ccc63ed6ea22de6806e260127753ce24
SHA12d5b025fca8f28c3d199ee0b264f51e09b5506c6
SHA25685dbabebf455ef9d2be11566f2d1774d3bec9781b59d5cccc872d67f5bfdd510
SHA5128a9b462ded1a854cd79fc0c2a169d74969a165c62809d692c1f53c4f42a8b729190d71bb8297dda53e428289a1191286fa766c36ea6a5ea168ecc60e7b66b500
-
Filesize
588KB
MD553c23b6c3b9f93e81578f4e12825cad5
SHA142e7df7cd25d8f1faacd6dbf98fbe8d78883bfff
SHA256446ca8b3ce9bfdc8ccd5ff42c4d34e8afe02da80afed8eed7ab48f99ad4818a6
SHA5123918f94717eb92e967d0ac9a7c283d7a77a35e399745a36f5de51de76a38f60659f80c782cf8ad57f8578b3ecccff64a8c0ca58f5cb436b096c1d7d12d4cb086
-
Filesize
1.7MB
MD572b0a8ca97b891942832eca097bf5acb
SHA15e39a186f34bac477ea6d16cd19fe4ae5da87701
SHA256c7783de38d8884fd395cf2cc9e410e03a7274364ecdddc5f16367d9559dc4756
SHA512155b6274f3662fe6a662e0f45a9808ffa44f215fd9616afe16a0589d603a55f65057736e08247d32623537b25e3b6d7ac737ecf5ffd6ea2bc46db447eb9ab750
-
Filesize
659KB
MD5bc488d6fa4e22f50ddbf2d1977f82201
SHA19ad728a16ed94592166f4fca00870f5958d2eac1
SHA256974a88495b41f32da0c2830fcb6d87b81b163040bb9293d1b85ae37298fd5464
SHA51221f77bb5b290b98106b7b71a22dbb52af0d4d42e078a5a90769630fa2bbda175658f1cc11d4892f308ca22470c62c495737fe93314a15bd259737a2f620ff35c
-
Filesize
1.2MB
MD5c044292b1d8c2a4e48372837d346a4c6
SHA1c40d3a9cfe39ff96c39f49ccfc9b9807288a2688
SHA256455832291cb91f70fa0600be085c72c5183ffd0ff740ecdc8319d69a33ff6671
SHA512ec78a6acc4caf8cfb7be8e278ab6e32fcadb7aa9071d72ade5a6cc7751e904fc66fd1c75948b6e2e0d49f5fc39b7012d25efad6b2f97d2863671624fcf69906f
-
Filesize
578KB
MD502f437a823fec303d800babe992c3a9c
SHA11d33e515bfcf88a98eb6ab93802b8afa164103eb
SHA2565e9a9adf92ef04576cdc160ac97bd94e31e67ab820e3717b3d28eaf8d4b972b9
SHA512e1d6ddea3ec0372092250336af3c68597575b1d02045907ddc8ae777c92a7e403a47a82ca16b1a09f3be33056e1d8040877e1a6d823a4595550d6ee36d5ccfb5
-
Filesize
940KB
MD581b60d0670b65720466cb09f7a65f323
SHA1a84aa8798038cf23ed625201503b8ec4152d4898
SHA2566074babd659e4742f9962454b1073198f9491e901d2ed372804b1fb8a968de08
SHA512d92139a6de0df722ee70b53083ddd5970544b473ea0a2cba34d24ed3673b55a55e19b0e22d70fd3ce0622d41d4151cc3ccf03889bb1911fc8c6a6f20e221a048
-
Filesize
671KB
MD50029049f834ba1a9ad43710aecd3ee0a
SHA15dc966605afcd20090c4e742d104436bc25ed1ba
SHA256fdd0f31f7bcb87d80fe9d746ac0488f49922c1f768d4f44578e04cf012c7f88e
SHA512c5003508fdfcd4b540d9607b8ea2a1d270f9ac1e5e8eb52216019738d447379f1f9de0068ad1000ed18c389491a7a43a08057b7f3df379915c9a04251b16983d
-
Filesize
1.8MB
MD53fd51aa567cc378024354ea074bb8b44
SHA1a65ceb23605f4461e62c5852b18ba3fb7e146940
SHA2564b857156d32b5322c5317948b568a0ee333c014585d7b1c9924ba4db94d88c98
SHA512d62dacba4ccc59333a8797177be516e01209931dfd955d5bbcc1f8efd80e8448107118c90da93c8d3d3e8530dce00a9e5abf37f7529dff512dba2153b3889ffd
-
Filesize
1.4MB
MD560590c19ef723a7fccb827805ff66e4e
SHA16e096c37bee8dcec96bd8b5f9581e8aa7717bbd3
SHA256823dc68bc57d4a5c1d240c56f9f4d2edba8ab58a47b7d8279443e0273d0d9138
SHA51278fc986b72f0ad6150fb4a2427ee1678a5e097603f89e1686d8de55a61dd5a27f547752584d1b6f5c186d01ec88de65c14315dd3e4f99ba047fb00503d3f2e96
-
Filesize
885KB
MD5e46a5cd7ddbb4892f61d2cf5f1a8a1d3
SHA112d5b155ee8a1cfb1c860e7a8ef0123f78d6496a
SHA256fffa53141082d125ddd0a4b9520c57923c4c946cdc88ad422db302326292fd28
SHA5127ec0c8f06cfe9cc0081ed35394c807c544cfa8c2f76f19d8eb973b0063f93cd20c1f9b34c22b4369f68ebe9aec1a252815e0c932539c0e6d4936a51f3b403e68
-
Filesize
2.0MB
MD52047c5b9f6c3c5cdc1d043572bd6273d
SHA1575080dfc58f9901ad6df45c21914dee5c3510d6
SHA2564f765b61396900ba565df833bb8c69dfd432ffa88b053efa85c08e952db38c34
SHA512b108c9f8419e1c54aefa9b433ac66731b04a816703e4737847068eb4bc7ad1ac638e880de78d774cf835272059fb9bb33e500d82300acfab4131d17653d2fe7b
-
Filesize
661KB
MD5f9f4d81e1938f1b61620ddaae20d7a06
SHA132c1c370db5c13c8884245b6bffc2f0b8a491708
SHA2560aa4b87f8209d8bf8311a3d78da0c9b71caab4f3cfd7abb9b9d1e927e503883c
SHA5129fca0134d7c47b771f38bcddc75058f81a6cd91d3d32aeae6d9f29f706715fecbac7d56173c12e4a6c449d575a8c3c2cdc46fdef0241befe2308064c6953ead8
-
Filesize
712KB
MD52c9ac88315ffe0fbbdd7efc1481c7c91
SHA1f3b3396ee4253ba954606e23db6b732a206e97fb
SHA2564a4e098f8305ea8025d03b995e2de747bb08c23908fb8c5d0e7872de96808d3e
SHA5120db41ad447fc81d41da5716edbf1e41145896b092c21394df9322b0fc4d5f9a528170b296d7e6f4e6518cc9591da7572bddb2364e3c0b36e7e3b4c9c8abacc4f
-
Filesize
584KB
MD528c64775e65718bd152744f5b6b4a5c4
SHA1ecc2fc5e9dbec447dcd3f0544526d896295a468b
SHA256e17e882764622ae4499f8f89f9b7d293b92a239651850409c43ba53f8a71768c
SHA512f2a9e66c1c5b101d6cc6bc1507ccf9966228aebc7b3543b9ca5a085bc8b658b8a6e7dcf118c82effbec9f55c1c69d72decb224807ca497b921745e51c18e1fbc
-
Filesize
1.3MB
MD555f36741e13b1176f5d0acc27bfb9bcb
SHA114ef8cce4d21a08a67f079fdab010e676d26ede9
SHA25671fec4d2677d1a2288894f118afd755c824f97ecefd748559808c0487a588c6d
SHA5128da10ba169e4d83cf9a3356767730f4f2e67c96a9c5bb92ba2652655845d045494ba7301edb29ddb7a22741cfc5c65454877f9765f11cc08b2a989a865cad2a9
-
Filesize
772KB
MD588f7a3f9db2c4e2d8d8e1f4c20f650c8
SHA160f7097145d80aed1a4215ddf966dea6f2d24dfd
SHA2566e348feb14e70e69815d05c1459919641ea4c3092763c05e2b8de34d09e3c466
SHA5125b055dcae1546ca66c986a073b363a52e6100c1f7562f2a87fec119af952c6c11fd36d37dabb5a46b3629ee1ded3968209adb5bb414f311d8c4582f2b958f840
-
Filesize
2.1MB
MD5253e531f3771a9517aaf9d226ee830e5
SHA1bd09d2f3cece0fc96c1cdaec9b1455a491d663d3
SHA256a416cd68a79c88a00710a5c80885fd9f1f32823047d473d1e9db99ef85f91bac
SHA512ec81742a3ff2a5472d4dcc1748d22d8954ad89937dba59f3c8e668294a06d8c317d5d2a03bc1c7d0991b6158177602b3fe009598a14d969a5f50fb3c80643221
-
Filesize
1.3MB
MD539351a4576d274123c5a94720e36189e
SHA14326794a82890fc4bdd0af6f81a8cfa86837cc3e
SHA256e2483dcde5077980dc3d30d45069775934ebda6562c4f3812a0485ff936fa73d
SHA51280fa318eab793c40c50dcdbe6ca8401fec62b131d2f39a59c8624a0bb863dabbfb72327db576f402553702dd2b6fc34fe25b6932e02b3298a75af0c8c2e4c809
-
Filesize
877KB
MD5c4af3e6a53d629c6e12141262eff8a62
SHA18a0b1dd393f340736c20084fbdca309969c3096d
SHA256c6161d403a962b1823632ead00f70a2091145c1023c973a856bc7962e1f729df
SHA512d3928d7824933bd610409717542a08f059be67f0a68a4564e3932e31c0f3a8dfca06c1e9e542756b2c86e0d1bcbeda587d968b7a2f289d0e28b26a67ffd76385
-
Filesize
635KB
MD5ff20d29a8d196e605dc4633da82de689
SHA185817c11c5dfebfc77b592910bd0ea8a20b7daf4
SHA25633303ebbd63fd681365b0feee6e6370a0af5ee5609179986cb4d10e22bc80fff
SHA51270ec4a876df265789c17c7d90cb27ec27c929da15a1f88ae03cf17e79163ff961a45ee7da052ad30d49af079599dfc9399dc9b24bb2c9b0afac61bf819c8cf65
-
Filesize
5.6MB
MD5b590413ed93bef6df9c9f10bb8b7aa46
SHA19bf5202c8358ba0c3529cc328d40127bca4b39db
SHA256b1d25849392dabc5bbda88e64a1ce22c4ac3abdd9e601792b87a76f38ca08ccf
SHA51212cf74ecc1548abb77b54228ab11f8dea10d5c2f67f4d0f2067d452225587dcbca7e3af846a280cde3d7d20735846b3b3890549c46b8ffdb159a26e41e57494c