Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 18:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-12_11145f3c7b5280396dd8b36cc67267f1_snatch.exe
Resource
win7-20240221-en
General
-
Target
2024-06-12_11145f3c7b5280396dd8b36cc67267f1_snatch.exe
-
Size
24.7MB
-
MD5
11145f3c7b5280396dd8b36cc67267f1
-
SHA1
9c57ee77b39dcc05055c287dccd338bd8e7cf744
-
SHA256
3118301d1e8a265d92c26a56630a30575847534f2b3ecc3f4de5bc0627b6b4a2
-
SHA512
6a5bb85f79bc65d1ea2841c49b1be3c25eb30a320f7c416eb2a862c1268d7e80fd52670cebccc8753f25bb0168fd3c060c04edeb6f6a1c0471031eae696cd1bd
-
SSDEEP
196608:eWOrf5mIzGtNYH8je1uqM+HHThsdVQBWG:eWCf5mAeNYH8sU+HzfB
Malware Config
Signatures
-
Detects Windows executables referencing non-Windows User-Agents 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2840-12-0x0000000000400000-0x0000000001D2D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/2840-233-0x0000000000400000-0x0000000001D2D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Executes dropped EXE 22 IoCs
Processes:
alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 1572 alg.exe 1624 elevation_service.exe 1372 elevation_service.exe 1468 maintenanceservice.exe 2608 OSE.EXE 632 DiagnosticsHub.StandardCollector.Service.exe 1832 fxssvc.exe 1904 msdtc.exe 1180 PerceptionSimulationService.exe 4776 perfhost.exe 4004 locator.exe 1708 SensorDataService.exe 3996 snmptrap.exe 3076 spectrum.exe 4860 ssh-agent.exe 3440 TieringEngineService.exe 2060 AgentService.exe 5008 vds.exe 1960 vssvc.exe 4012 wbengine.exe 1032 WmiApSrv.exe 528 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
Processes:
elevation_service.exe2024-06-12_11145f3c7b5280396dd8b36cc67267f1_snatch.exealg.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-12_11145f3c7b5280396dd8b36cc67267f1_snatch.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\68d9cb2c293b476c.bin alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
elevation_service.exealg.exedescription ioc Process File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
Processes:
msdtc.exeelevation_service.exedescription ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6a0d734f6bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017e17534f6bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000022ae134f6bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068d02434f6bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba6d2234f6bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c1d5234f6bcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9697f34f6bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018df9434f6bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
elevation_service.exepid Process 1624 elevation_service.exe 1624 elevation_service.exe 1624 elevation_service.exe 1624 elevation_service.exe 1624 elevation_service.exe 1624 elevation_service.exe 1624 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 648 648 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
2024-06-12_11145f3c7b5280396dd8b36cc67267f1_snatch.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid Process Token: SeTakeOwnershipPrivilege 2840 2024-06-12_11145f3c7b5280396dd8b36cc67267f1_snatch.exe Token: SeDebugPrivilege 1572 alg.exe Token: SeDebugPrivilege 1572 alg.exe Token: SeDebugPrivilege 1572 alg.exe Token: SeTakeOwnershipPrivilege 1624 elevation_service.exe Token: SeAuditPrivilege 1832 fxssvc.exe Token: SeRestorePrivilege 3440 TieringEngineService.exe Token: SeManageVolumePrivilege 3440 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2060 AgentService.exe Token: SeBackupPrivilege 1960 vssvc.exe Token: SeRestorePrivilege 1960 vssvc.exe Token: SeAuditPrivilege 1960 vssvc.exe Token: SeBackupPrivilege 4012 wbengine.exe Token: SeRestorePrivilege 4012 wbengine.exe Token: SeSecurityPrivilege 4012 wbengine.exe Token: 33 528 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 528 SearchIndexer.exe Token: SeDebugPrivilege 1624 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid Process procid_target PID 528 wrote to memory of 2864 528 SearchIndexer.exe 120 PID 528 wrote to memory of 2864 528 SearchIndexer.exe 120 PID 528 wrote to memory of 1376 528 SearchIndexer.exe 121 PID 528 wrote to memory of 1376 528 SearchIndexer.exe 121 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-12_11145f3c7b5280396dd8b36cc67267f1_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-12_11145f3c7b5280396dd8b36cc67267f1_snatch.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1372
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1468
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2608
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:632
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:452
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1904
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1180
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4776
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4004
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1708
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3996
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3076
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1780
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5008
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1032
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2864
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:1376
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD51f6641b440d141f5b87c92fe39837697
SHA19d41806763c4885f6d51ce9c10c6b3832353c983
SHA256391c094bbaa6cb1a6ab9e191be1b86a2352ebe62a069d091fced80dddc70f5b2
SHA512d4c7db2e07c8baf73943a9783355e1887ad2be586efeff0bfda7976d45177aa30e855b0d1de42e015b68529fdd4f0648c1bee10191e301879b383146ec3847b4
-
Filesize
1.4MB
MD522733601ab304f359c11fb456fa1f7a6
SHA1d4eb9e1693526b731fe15b0f670242d21611ab99
SHA256ba8336ec993b0e9fc19b2fbcc6a249f09d366cd3042f36ab067a6d146e0854f2
SHA5125ce9438a771a52f844fa8f100ecb3d2ea3e037b3707a6b194fc4bf328dde7226c9bd85670c9c1d239f6487c64c3dac59e6ede96b1726e9773a1dd25a3ad67172
-
Filesize
1.7MB
MD55a7cd7f8b8f5a4fe2ecc546a026fa466
SHA137d1f58fc09a49a520c2186a6ac1f899466d8f80
SHA2565f5a3e71d95e1e63660c36e59c15ef50b0c791e5ddefab329a89dc274d66f62e
SHA512f99f8109826521a4813014cb7a098f6febffe50a06dbdf04fdb511fed262324e30c33f8230e6e6c9d2dd4301d4859e8f5143cd80c59c4462822eeef354a97e59
-
Filesize
1.5MB
MD5ea09239b6a32023dac1c72f4e299a275
SHA1613817e06a95092d8de007f86bf8d1fea8260729
SHA256fbbb51f187670402ddbffbfbe2e7b4d9cf96da01186eae896ebf2d2575cf3be0
SHA512f927826cef2098dfdc326daba46cd383f9423c2b9ac2072203eff37efd7796165ff9397325bd972c612670a19645c5094e4efa3d85b34000fb54a8f853d24fc8
-
Filesize
1.2MB
MD5641269f6e2b75f213187fa1a64b38d13
SHA17e1409fa4a2c2b82bf51fe8ca32a8b8eac6480fc
SHA2565d90c2e4858cd6647aba2450d13571f40643bddd7bc3a43dfb5c7284c8abba0a
SHA5126095593834e9be670b86e79066e12983783a88ab484ee2af1207c2addbead2f55d5392aa6524c18c278b8f27fcd2cf51232fc6a057bd58aeae4fcb67bcbd031c
-
Filesize
1.2MB
MD589a4755f12641c9332e658f36fc07be5
SHA1b70576e13430cc7179f007a2464b0455cfa5c8e4
SHA256eaac3e1d7fa64b51d0ffba2ccba0f314e008594dd587c3490f08a42eb00eb938
SHA51218d71ff0a9a543367c00d9992158da11b9317d324976507dbad631b742010ab89e0507f19b3c1c3b57d27acc43d46557d179f05606790d75681fd08161db6996
-
Filesize
1.4MB
MD5e375b12b40b89d667966749044e754a2
SHA1ad4f159318da47870cd8d76678f378e499918bef
SHA256a71079a64110b1147df61ab403778575281893298f8540c599796289a67453d4
SHA5123193b89dff3f7c092c667352e699f0987f0ffaf4796569e4791cdcf54c20ea62bad11365ac5de3cb2eb7a60ac77633398aaeb99032d90d13d234695d3fcf32ee
-
Filesize
4.6MB
MD591d210b23d5b7cdcc60a456b3614f15c
SHA161f43d2a7e9d9bfe2b3ee992ddd925b67ef00c9c
SHA2560c8e8742354448090d5e15ca28ffcfd48795ac15d7aef58666e43c09c76d4cc7
SHA512d1a507e54fbfc65f81747cafdf8afee2291901166fd9d6b6386c33bec83a472cafd024bde49aee0177080fa66702af439417a0019dda325e266d424fa3750175
-
Filesize
1.5MB
MD55dd5b41a258eff38041d73e9d5578ce2
SHA18695a69a52d0eea731d95a19d0ccb64e35c6e687
SHA25615c19f31194a048d2f793a69396bfbb1cccb679b8b73910e575f82c083c2016b
SHA512e952b57ebaaa393e82f83f748faffcefb3f81cbc7f2cbabe34ebc9e409c508b6bedaad7ce5d20151de626d2edcb7ccda8cc346ead27f2613c35b1ed1fe15e1e3
-
Filesize
24.0MB
MD523525052cbbaf28baac12a51329a11c3
SHA1b7e2f1e65ade2f7d7b4aa2ea4e95ba75484086d3
SHA256a76ce7a9107afc890c224fa679ed1bc423b617f1f711d70219370784f5b2d243
SHA512249818035f1aa2b17eb0766d56a2cc4041edd2ec462afa2862ab8b98c252659c49848cb24930a69c8b9c8b4a000a99e87fee9afa3de694300221337623aa38c4
-
Filesize
2.7MB
MD5dc1348fa71051f1cd939b6a5e0188186
SHA12bc11966fff28bcf0590fe5ff4007715f0450e38
SHA256cb76429b5061bc535318c627e211b3dfa5f1d07587365cffe5568a030398a18a
SHA5121414316b8a3a9eb7b5f65730f9738938c0e9aed0aca82939b8552e22ba80d90c7f338998978711a7a25e50712bf3e71e1a3eac3ebd4f199f978436cd788152f6
-
Filesize
1.1MB
MD59db97d9569a08fd7b6760b8359e78d37
SHA181dd77a6e7485782e842653d14e283142bbfce40
SHA256ffcaa2072258f8f792c72b9c9d6e81ce5552e3c5352c479ee295329391bfef27
SHA5129551028feb734f8ec7ee789bf753e8fb7932ad2cb76bdd021d4290d0fb24338c9580f26f55d30abe87d745b2fe3aa526c6b0527eefaeeb97b969e4e1042b242d
-
Filesize
1.4MB
MD580f9b808e1bf9ff00d9803004345d861
SHA1c78fe01b22347d9d519c3c7dfa7f8bbc60cf25b0
SHA2567f2c220239cbd2dab32e1b329a479075748301bacf2f77d9bb22d7eadac82d57
SHA512e5c5159fcb8e5625065c1e54bfe438531c0a30d36147bfb2c461885c31e6069a4b331097906b31a0381f251e205c29bd1242afe3f5a4d99711f0722d44629c31
-
Filesize
1.3MB
MD5d87f654a4ca460e83b6ee08f14244757
SHA11bcea50705ced75bdc3489518ebf0619ef63d003
SHA2562dbac5e4e11ad468ea880f2953e2522d2f323ae031e8a6721491eaf43f961a62
SHA5120b61bbbf22bbe74fafa86a711682b1a59c9b8ab00e96bde84bbde176732caa2c257344447d4a98f38338b3eaec8830fb6e935467beb9d561d56d300cd80c6ac0
-
Filesize
5.4MB
MD5546654643419e22b2fff7fbf10bf47c4
SHA125881494bf0181abe76b856a234fa2daae38596b
SHA25653dbb52712d86077c21c437be62c66b2f262325018657756ea382f65c3f18612
SHA5129740b8228e0d5563668c3784b507f203b0bb59644bb947fb032d5ee15896bfde3a692e91994753cff746d03d12adfd140cf4faa285329e7f3ca57a988c5bdb08
-
Filesize
5.4MB
MD5b9172f65c605caabea11d12673f3859e
SHA11154598ddbfd49364c7fd77965291b0a466f0191
SHA2560f0f71b74fca6dee9b45ac6082ae8dbad01bc92ee701c7d2cf84cc984863b143
SHA512cd3709576e243b1e783780632cc1689a5c9ba9c2d9ab6582df1ac049c634516cc0e1c76e0124a5349fc49f1a1454f5fd555d467fda8f5144512cbee42c23757f
-
Filesize
2.0MB
MD54c464d72a2e48291b21c64ad0465d637
SHA142097ddb6215ed01eb1abda9d42d4d9037bc57b6
SHA256dd220b00483fcf3a17999b5c2cf3eb24e9fd3eb5653837aa9f9b79cdc1019185
SHA5125e32a3e2db3ce0e92b8b97d0486c547f8e3df618bbf222cde7f33be893f61304ec2d0fc3512f87d64a7a33335ce7f7edc450672f19b8054904e38027091df55a
-
Filesize
2.2MB
MD57ee5bb4237f126f55ea9b3042af7d192
SHA1429e305bf0f74f81e1745cb7623c64950b3eb048
SHA256ce16d238d416607654fff67fcd55225b6f3538f14c0ce3b4f9e11dcad9598de6
SHA512f3091220e66a7d43f3d84939dfd660745ced0a31c9cea0d139b820aca774c3526c221d600d354efcc51e1c141cc7422b326019ecf388ae9220368fdc21dcc838
-
Filesize
1.8MB
MD555dbca8c30b3272b433e686a016766bd
SHA1708a1bae79dd481c20f832966b2ad9685b22588d
SHA256846add3285b0f413ea89dd325c2a4214192cc5cf6df0d498c377b7ed2dbb13cf
SHA512764a866545f4b1918324a0e8448f5d795cce6b18c57100513a067ec46863925a037323010fc562ad97b083cc8dcf492b9cda704a084147110b4700c8b5eb77ef
-
Filesize
1.7MB
MD5de4681e7e63ad210c5f501bfa0494bd0
SHA1e7ef82467f91a3452c99ad4e81dd401d6d030873
SHA2565e65f1f69600937929c8aba8c55eefb1d2d57e1a2aa50c1544b96e05f3e6a642
SHA5120015c93032cb7519236b676eb0f9e26d257f8cd9005b0a377ea37db9be8c7ef067b95cc967b8d2460cf251f9939a682b4e44a8e9e34043a77a2d343a766fe9bb
-
Filesize
1.2MB
MD51d0d59e6e74bfab99cfdc54cef8be542
SHA17ec5562acb7832d4639f3390678e7e2a3e184da3
SHA256d1b0bc4bf8244024377dc6d98ad082903b9ec599c72410a9cc01ec37cb305d21
SHA512832fcf6900469ad71f64147fa3a46103a71093a5c6f3ef1ab07a520c95db50e2c0193f85ded82031f51941d1872c184e7272c79ae74897d12f02ab00b141bb5a
-
Filesize
1.2MB
MD583d4b06186c7219153699b04a67bdffe
SHA16298717daf5517832d9dd06db05dc78892e35a5c
SHA25666401edd181a6d68e49d777f415b485638ba11576d045578768c678679b2b761
SHA512edb25b3eb3819c4308a80ed4789e28d37506f001faac658951a3ef267db226b587988a838ba658a0560e4536a4e092c0b2a8dbca7af6fd445549d3f32386e88c
-
Filesize
1.2MB
MD5e707b0e09832202e918b8a83386d7529
SHA1f2a1bba28bd56368d4626e95ade15166eed546e9
SHA25644d983ea318acaf9eadfba9261ceb17710ec9da9dc5e72de4894a9b0ba593ee2
SHA512d96793416696264343bbe658474d999e983a90a1b0a80d7da54707fbb5226fd5128291e367db7812ba4bc979d9d9f9f56d1ec0303e0dfc03b8e145a3c72e8d26
-
Filesize
1.2MB
MD502b157a6f769b0c97c8163b836f79205
SHA197903d82c1923e0321d9da92f2699f1beb6b697b
SHA256ce20b6901ea7bfbe676a0866df0ea980ce6159bb19015dec4d680c126492b812
SHA512741cd143f3de02d54c96703f0ab52b0cbf7130a823474291b30fe89893266967abe493b1443a04861b2d9f62e0e3aaa525322b4a1559025c64a5e630e842878f
-
Filesize
1.2MB
MD52e836adedf67893acfd82488431d6faf
SHA19d53cd38102fde9449647fdf97d42a70f7825242
SHA256c5abe478cc488f5785401ddee202aeda0625c466c37815d6c3e963cfd7d3e8fc
SHA512aad8fec5d6487a0b3ff4267d737c54eed2c9bbd52dc5bf57cb74dc3ab11dbf6bba5fa7f4041307c1972bc7476be42dd9717c97bbf1883908fab8d599df7d25dd
-
Filesize
1.2MB
MD55bf2d2d16e9137f10a667edf5a9a889a
SHA18e8562d800c222531d80f33249d33ab200375f20
SHA256ecc48bc2e71e8294422cdbba118eb6ded29286d6459de4cc308b792b015c7d30
SHA5122f690434cf8655ff69601146e54e6041a1ad3dbb38f230a8cbf85422a2015ace4a8bd6099a67bdbbeede721dfcf5ba9931f1ec6ba60b7d2b6cce00a5d3497ec1
-
Filesize
1.2MB
MD5f9da357e93922c5b6006dd46750722f9
SHA17f5942a9ef4690175a485dbd7d4ed6020aef1c65
SHA256ca70c73c68948f4b4f8284f5b55e8dded2056e20429983575704214812adb058
SHA512bd320ba51bc77b87f0e7809ca07d14791a227f96a00072e2e66102d72c427c40a2d4eb0c05ac1d488484b57f25927596123ea4e229b930a9860e4b21a968e6a1
-
Filesize
1.4MB
MD523b4aea3acbefb3375b411db7f48417f
SHA155e1604cbc551ec1e29817233b01b72e696d07c5
SHA2561e97c669ee126655b64845a0d17a3788b114f48e51176ce08dc7b669e4ad9db4
SHA512175c8f7472c0621a9d0fe7bdcd8ab07111d2444a056ae0c65a23d46c17214780eed2efb9a5fc2a3d6ef60af82f782f04b520ad767df6fe9517a4899ba7cd086e
-
Filesize
1.2MB
MD5249196ab6f63522d021ddf87b8206867
SHA17111ee7d86eb55d26ebf089095554b68ee1d51fe
SHA256a32794f8c02d20093d643f1eca3839dee89f3cbd5b41de283ad522d27a61b780
SHA512c4c50e3022d9b86a8b7929dee1877adf601a6826f105904ab47d8260a83c79c73bd53d0523daff61446fa6e4d9d8876d22c1ac908c53342d2ed75af923454459
-
Filesize
1.2MB
MD52f913e1d9d5870e6f610a40865025e50
SHA1a66a0f54c5637901b8ea7cf3c4ce0b34e7c966d8
SHA256da2c0bb1af155530d33fc72c2db7d5c2677ecf516d10a737e49b9780d39dd29d
SHA5129e4974e6a5d6127b2d5bdd4d40000c77590064e81b2f672305f4ea84f8ca5c16808672a2b78634bfaf7514825a283180be12eab80a2e62724c61a3cc4a297527
-
Filesize
1.3MB
MD5cf02237e598fa428e5aa22a7b8f660fe
SHA196b4e57615dcad3d1a4518d19b4a1f1d811e2688
SHA2564d74239ed720472983a387d8e062e6c9315154c8c17a4d5d6d179d231697f006
SHA51207052eb192e4aeeb991f99f6cbb1a547bef2a2203afc691f411f1a799d2e5d5ff64b5ad095b044d10028eb7edfa8f31e970c3f0c05b0d5ad1259d26e2c0ab6aa
-
Filesize
1.2MB
MD5df07ee8ff0079064c8f185dda5157a4d
SHA1a25457da48213a34a1d6bc35bfd52f1917be75e6
SHA256a420799c43b7dc24843b38ff9271ed358f2ca42f4ae405090935852b8b2eb85a
SHA5121e2acbbcc9932b417af8b44d3c39797ee1c44cc2ee68fc851a87b1e16d9e011758f698ea4add779a62c5121a885ad5cca0882d8629c8654c403f8965826a46da
-
Filesize
1.2MB
MD5ac67ea79fc00744042bfdd72f14c4fa1
SHA1587b7fb622e18e8057ce729f38cda94966a6afe9
SHA256e5adc6a27cfd4139694a39c3c812ee2a38aab4174288618394a7ef46bc742ec6
SHA512e9425c26a34337be032a4485577a612f50422cc59b31e95d4600c8d38210e7d95c6c6db5d9220d781b4babb222910012ee85c296c8e471f2d973d84bf968cd34
-
Filesize
1.3MB
MD57d56a594b50e56009da83d8214ef8b3f
SHA188cde64bbcbbd99a90eb85cd3684acf27e50d417
SHA256c50b221b05a464bd05b6dd4723e1ffd2f838a16e296b25d4a6c1bfd2b03f3174
SHA512edf585a4d2f34fb4ad5435489bc5fd6569d5508222e4e01c0dbf791e8b274b3f28659108f60da7866267a6ad4f1ec88491a54da3d2c3bc255b40a76ab42c6fa0
-
Filesize
1.4MB
MD5609654476e024e253191591d3e948dfe
SHA1198893f67ae579667916c046f0e5fd16db79c98a
SHA2563b4f63edc25296cc060283095fc47f6d2652264dbd94086d8d3bc9d1e50097d0
SHA5121490a247f9e6e29bed8a017effd62660a36188b6bf896e7ff13620bb5dce13f2cc2bbde760de2a5387a3783e1efb18fdde43ed447b63321cc3bb28926807416e
-
Filesize
1.6MB
MD5ea9072021056e6b3ac61b1f9b3a07993
SHA1ee93cc93b65304e041cec1d73f8ac6735c7e190e
SHA25657f6ff74a2a2c18d5de05084486855df8ccab7a81d7ce936567ff588c0d330f8
SHA51295fdcabe7b414698572bdf3588c5959985afb54379030721695a45851afb8a467b38fbd47eb284e468fb9c0eff1633dd89ef3ff0b777cbd9e8c950997a10822d
-
Filesize
1.2MB
MD5f105ac06edca92ceff999e157eaca469
SHA1a585a78d4e5e42a43811b49ac3abc9ac2b6437cd
SHA2562dbfeb96bf04fc940b28ef2716cb290e027f2f918e3fbcf4d0fdd1ae21950b9a
SHA5129245e0d261472758b30b9cc591ab923214b8e357ca8eefd505bcb428806a72b02fd9c23560863580ed52c162407453cfd001d9409215856b79cf4922916ec8df
-
Filesize
1.2MB
MD5ec49b447aa750795929014c036770c8c
SHA12be328630c722b32fc3989f24bf11a813c78a205
SHA2567b9affcbfbfadd599f67d2e75d8da901338a24d295678697cb7633fa4148a288
SHA512f733ce45ccd3c674132facd9d7cc3281300db2205b22935c38544c0b9dfd1f61e2bf7dfc28a8a55ab399efbe457c7e4eb6a2a7dbdecc47c0a82f9a78cbd402f6
-
Filesize
1.2MB
MD5c72d9c49e5fa9a400aad12356d8e81fd
SHA1d5297c95422e3ddc215eff96a7976ef293714ff3
SHA256b7577a99f2229b46f199e25d0df375144d2d9b44797928a4202c06b4a107051f
SHA512ae2bae40e74a5d528e7ab8857e5828a20764eda09c5a28e0d276bc43b0217d5b1693ab17e84ac1396a851063a4de5ac535ccd612b0cbe9a209e9540b22eb3952
-
Filesize
1.2MB
MD539ac3c4164df8b96bf404d2381a9adb1
SHA184404582fbc9aed9fa8b159bdefc21a7bfe32033
SHA2563ddff2d3a25b66b8cf18e62ddc98f0026e692fa8f75c60897e11cdc2b34a9151
SHA512f0b916e25472494815a179a0145be6d2a2159674776dfba780d9cee87e481042448142d9e8d29ccdc79c9b47d6f30d33e759ba21e69b866c4e0d0c632ff3458e
-
Filesize
1.2MB
MD54b69bac80eaafabaa6b123cdd6828b62
SHA1bf7fb85e45f3efb9b0b7e9a8d88aa54fa64d98cf
SHA2569c64abb3927099f86de62f48408a4d0e7bd7bf0dba8334fe384de02e15079896
SHA512b55e441e06d2fec1399469df0a9b6fd294d40cc87cc7d33422553b4d0526dd3940bf010ca63c270d24519e09d57798a15113721c92f850feee5a0cb80ae2c8a3
-
Filesize
1.2MB
MD5c6ee24522d409748f7e322604e689816
SHA1b1e0721d78d0bba5922463d558700c1aec0b061a
SHA2569ce725e8e0d87c8e06494bdd1dbc39655dc7ae593e194b4e56800344c55ec440
SHA512db8846a9b26b8af66660be217b104d7b1d3285e1993ccd706d7bbd9cb9886a21be0ca16cbba0f7fb2c97d37b368aeb2cf298da5136b717a29fc7fa1de4035532
-
Filesize
1.2MB
MD5e638af4dcb73cd6e5186ad93951c5242
SHA1fae6385c90ce43b6b0288d413799e72c896f25d3
SHA256e5bd516d6ced3e1442f92919f14b0ae745f07b9919335adb6b3254a400883123
SHA5121290d65567c24bd34d811fa17907097ee435abd188deb60fdd103752be7c4cda3159e6d8a51790158ee2b973a111a94fcf9f0b1576399cccb05cc7d3cf11a99c
-
Filesize
1.3MB
MD5c6a3d3b1e675af99bfad650619436a56
SHA12821b02fd9178ca95715fb7777532131c5f6763a
SHA2568768dd73adcbb24b82fce7e2406519bd1ba8fef38eb5ed40a9ae78f0a194dc0c
SHA512abdea87ece28b5ac21b8cd7456a551c91c367a42d74d114bfb2023e6d66cfc9ce5c2043a9868be2b80d5b163de08d071211b3238ae6c1e3bbee06540e253c7d8
-
Filesize
1.2MB
MD57b6c9814b0287a166f6dd4dfc2fd1964
SHA1311642eb2a5339dda460a37ae6d43ca2e45d1c3d
SHA256df2d431c97e9fca59ba8392d1bc908546505c007640612db2b787090d527459a
SHA512512fffc5ceb89385bb2f77680699d1ce7d7936b157b32cb0f7b1562439577bd1a45d70659e4d600650dd142dd8b86e545468b090688a855f63a60ef19a5ef380
-
Filesize
1.7MB
MD5b2c41fcf4001964668494933d403f685
SHA1242e12cc666a8ee91deecfc18c1ed668cad4d6e4
SHA256bc9be5781dee1349e0f05f7ce6a41a2b07a30c52df968191ddeaf61d03dcbc46
SHA51207a0498b87ff28abe035558c07fa9b8d06a78965368f8944a43ab5e494bc38094d9201014d694148334bfe55b9250f073d2113503e2a5851aad1cdb588189605
-
Filesize
1.3MB
MD5a1d5e1fb32bcedfbbd430220547bd857
SHA15cfe767dfa8e305c65a7f6b7c0cc1f4df3c0e0cb
SHA2566be72720999cf7dc9c07e8f9392147fd7fa7fac4d26eea934e018921e05f794c
SHA512dc03f4ffb812dabfcfead78796819d659402e1e518ccd656936427e988b5e2bc6a03c15989fec109556b075cae830f37cba46df9586f6e025bfd379e25168506
-
Filesize
1.2MB
MD5df5aafbccbf39d53666c349d8e125c42
SHA122bac473a09f7e7e6bed28380d4c81a51cb4e472
SHA2561ee98aac9f163af25627ee18efd1da75e8aa82ff392d85da9a6054f18ffbb798
SHA51251e633f1247293e1b01d8f8662b2af5d72f4bc892797d02bbbedef9951a270957fd46fd03856c21ec68c0cd1e03a24611b442153e5120c8549823e80dd35056f
-
Filesize
1.2MB
MD5c0b8f7d1dbe186947307e25c7152a119
SHA1603456a26bcc9a80fb65760cdb55c59e96d2029b
SHA256abbc02e596c3cd0c64c2ed8225673f4abce1d88b6fd56f118a29504a4333252c
SHA5129d74b00c7317e5aef70c7fde25ddc02ef4d805f8bdc3f17f0100b2746f1ec2e72b95d210a9a0f7c9629702e006d29a5d7b195b80ce54d4aeddf2c0adbbe83395
-
Filesize
1.5MB
MD5c3523ca408fb0c00838fe0a369175ad0
SHA1752e82c49791998aec0fd8c81c616c0cc1758dfa
SHA2569131f11fb1c9638ae22276fa5f7d5d39d9e5b61f45d0c5505dac38d82beb7eea
SHA51252cb6f0eee0f7f49dc501dee5e5e1ce64eebb2429ff3a63e052e3e18f2d8c6c508cde7a3adcbbf496e2deaf98e8dc54294d1bd5d3f2f0397567d3224a905e9d4
-
Filesize
1.3MB
MD5c74706bd5aa6c5aebb98f41d2e11d01d
SHA1b1cd1d003431f4f149a8ede245e7583e5c0ac77d
SHA256306d68298327703db1abb3be5d40860ced6cf462bb86d42e4d47c3093398c6a6
SHA512b882a934eaf61fbb0be26f90b70048ced5f8d783cd701be04a7d5251adc349adfe188c68c84cf85ee0194a92f7af3dc92a3f6e21101b16c8fedb426901120f8f
-
Filesize
1.4MB
MD5934a5ed0442729f46f808640f274c1fe
SHA1704feb05bb17d1235d67f72b16da0d8c200a0c57
SHA25647338d203ba25936875f426a32a8b72015359f6f7d8c42886ed3678c0588f4f2
SHA512bebe897d685efb9a0bf06f70b712d89deb8dfd376a9600cd2ed822e77428ea6f6d49783f8389b252498c0be9adae2a3fe86f8842dfc4231cc1f700e37d7de39d
-
Filesize
1.8MB
MD5565c58bd7bb220b2ef552b2533cb585e
SHA1f5fae0eeede71175df18315cd3f7352f05b4fa4f
SHA256ad059363bf9f2c1be070e03b5cfdce26718e3125607e86c3aac154e3c8c6d73f
SHA512fe39d4305ed24608cdffe68dc139595440e7af76d4abae3b91ec964c280fd266d95b345a8152d23e67f62fe12bcc18c6059a6c2f3d69e19587e5db020e4191b3
-
Filesize
1.4MB
MD57970839ecfb7459d1f85e9e4f6de4923
SHA1205f268048ffa13d9ce21c0c871b085cf489a3c9
SHA2561ee23544370c29abb3dadd4781917944b186d917d8e680201259fb0311199848
SHA512d541641dc41cba59dc0782aa9b1f87a03595fea336a5f40fb3568fb2fb356246db5e6acd78bbab3c0b0131cb65e27d1446aa84ad0e88baf12ed0b5fe7e4537f3
-
Filesize
1.5MB
MD5ff38cbcf027dcaa58e7506b45b1214b5
SHA125b737d82c7aa25ec816232dc260f5bae65fa2f2
SHA256bf35338b1b1d67988bc931d9e42bc5ad15c902f89734efe3ed6df7a30bc98b43
SHA5129c9ab426762612c6010e402cc2cad31768468c9dce7a77c849a550009e442331ff54b4c5a16d4ed00fd70c847988ebf47e5059b2499d5ff63857f62975fad74c
-
Filesize
2.0MB
MD5ae70b274e89292ca278268fbf5d3768f
SHA146772dbfa4a50a0dbae93d11ca254aaf80ed0709
SHA256da2dd39bee97fb209139f1005247ce281ae790250520a78c11e5511b7e9b43d0
SHA512e49a04ee674f12fed4f29b270c12d21165cdd44f3401d652242435a3615174c2aeac2c49e372ca04a1d6191f11fa3dba69efe77e2aca437cb72b9b7240161144
-
Filesize
1.3MB
MD52c88963643f127205f1cd65f629418ad
SHA10aba37185f4e947121d86392bf45a60027e5747a
SHA256a61c52ae6f3462bdd60e9dfa9d825975fb32125255cffa3df9790b6d915bbea0
SHA5122a8fc1708d737a72c13cc549383a9a43e34fcb00382b07a3e8a89abcd71b5d539bca9612beae858f1fba25f237506d9b0e2f487e1f3ddbeb758776d50cda24c1
-
Filesize
1.3MB
MD53ba0f122838e2bef1d468b9d8aca88b9
SHA183911ebeee296ff5ee1e47ff9dfa85762910c219
SHA2564bfb839a47375fff367dd6dce9d6413668937078305f091c3fdb3013d94f000c
SHA5122445ac1461ee378af8b62d2feb0c28f999343f460d6556edab5416ce9be3fc969f5e4c11674b2710d5447fdd786bf5ce1bc317d1965080618a22620edd577729
-
Filesize
1.2MB
MD5bddb965fad45ad381c1b8029bf93249c
SHA1411ecf8c4d71af60d0b0ea2ff4e977d602614461
SHA256477101d9c1d6089bb9cb90802d04d4a1390d829412af5e9f1fecbc06d7ea9a3c
SHA51298701fccec615ac88faa20ea8aa18893377adb97dccb30ad494bc6d4b1b27d22f583ed2437b54616710ee75c47c139d572c1c88381243d6a6bf8f2cf6b5d1ff8
-
Filesize
1.3MB
MD594c0296c01f57a209914dcc249d6ff06
SHA1dc34bce065d600c8a1c69082c17c6a61786d1410
SHA256dbedf5e96ecec3619067c53ba4a24472d91943e16b665f9627cb1ad067f5dca2
SHA5124d93eb4d431038c260a9ed0cabe1245789631a72d69cca2d785fe2af3625fe645a6b6a23a5094ae489a7d591ac99d78527088d54faada3883c12db8b7a397273
-
Filesize
1.4MB
MD550c75373cc19bcc4d50586cbeaa36500
SHA1f2bfed666810dca70a43403eb90e9a5792fd95bc
SHA2565587765b02956c139335fe0fc3ad4942f1318d0ec6ded5f9a131a10d9d6895ca
SHA51272731bf020c86f06e2dc77071471cb3c890b89e5ee9116b0c1415d54da3215e6ef510d115bd1749690229cd984f92912fec81608ebf6ba0b1360985feaf715ef
-
Filesize
2.1MB
MD57019f938974527ccc5318e3f33a5b96e
SHA186c4f682d8b08c0daf37a9e84e06059ba94020d7
SHA2564def3faa17612c9912ba17019eeba0275f5c21f2cfeb89712e9835272d14e648
SHA512ad10fc091f71bd6b4ef82cd94e10339d1c52cd2731baba5d7890ad638284f09225230d9550e52709c185a74f91744b3eb984e67c286010cf4ffacf17ed25e9a2