Analysis
-
max time kernel
146s -
max time network
205s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 10:36
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v2004-20240508-en
General
-
Target
Setup.exe
-
Size
105.4MB
-
MD5
f72d2886200262292b81a39985ee2405
-
SHA1
94887617839c388ae4ebd4acd389ac9fd33938a0
-
SHA256
08e0b8a76cebb1a668f2ed3d1de76d13e38b6e41e98ed804599e4faa298eb3a2
-
SHA512
68922552ed2ef93612efa16e6f9f669064056d912003dda69c183c689d266318bc107ee0cc5c7f738dba83060c889d8b28cbcb689c92525f9ba4a357bde1ca89
-
SSDEEP
3145728:CQSqX9kyO18IfUs1978l1QQLaXRd2M/MhDpY:kY6yszco978lahd2M/Ea
Malware Config
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} = "\"C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_x86_20240509112939.log\" /passive ignored /burn.runonce" vc12redist_x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ce085a78-074e-4823-8dc1-8a721b94b76d} = "\"C:\\ProgramData\\Package Cache\\{ce085a78-074e-4823-8dc1-8a721b94b76d}\\vcredist_x86.exe\" /passive /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_x86_20240509112941.log\" /burn.runonce" vc13redist_x86.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
Drops file in System32 directory 52 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\DMX.dll Setup.tmp File opened for modification C:\Windows\SysWOW64\PtGreyVideoEncoder_v90.dll Setup.tmp File opened for modification C:\Windows\SysWOW64\haspds_windows.dll Setup.tmp File created C:\Windows\SysWOW64\is-HK92A.tmp Setup.tmp File created C:\Windows\SysWOW64\is-PBQ5A.tmp Setup.tmp File created C:\Windows\SysWOW64\is-IU2O5.tmp Setup.tmp File opened for modification C:\Windows\SysWOW64\avcodec-57.dll Setup.tmp File opened for modification C:\Windows\SysWOW64\lumenera.dll Setup.tmp File opened for modification C:\Windows\SysWOW64\ioPointGrey.dll Setup.tmp File created C:\Windows\SysWOW64\is-B606M.tmp Setup.tmp File opened for modification C:\Windows\SysWOW64\io.dll Setup.tmp File opened for modification C:\Windows\SysWOW64\swresample-2.dll Setup.tmp File created C:\Windows\SysWOW64\is-CF33M.tmp Setup.tmp File opened for modification C:\Windows\SysWOW64\ftd2xx.dll Setup.tmp File opened for modification C:\Windows\SysWOW64\nhlminst.dll Setup.tmp File created C:\Windows\SysWOW64\is-29V1E.tmp Setup.tmp File created C:\Windows\SysWOW64\is-V593K.tmp Setup.tmp File created C:\Windows\SysWOW64\is-I5JKK.tmp Setup.tmp File created C:\Windows\SysWOW64\is-BPV1C.tmp Setup.tmp File opened for modification C:\Windows\SysWOW64\ExposeControl.dll Setup.tmp File opened for modification C:\Windows\SysWOW64\ioArt.dll Setup.tmp File created C:\Windows\SysWOW64\is-8EBN3.tmp Setup.tmp File created C:\Windows\SysWOW64\is-398G6.tmp Setup.tmp File created C:\Windows\SysWOW64\is-74QB7.tmp Setup.tmp File opened for modification C:\Windows\SysWOW64\avutil-55.dll Setup.tmp File opened for modification C:\Windows\SysWOW64\hinstd.dll Setup.tmp File opened for modification C:\Windows\SysWOW64\libiomp5md.dll Setup.tmp File created C:\Windows\SysWOW64\is-18VCM.tmp Setup.tmp File opened for modification C:\Windows\SysWOW64\FocusIndicator.dll Setup.tmp File created C:\Windows\SysWOW64\is-SQB9T.tmp Setup.tmp File created C:\Windows\SysWOW64\is-DUGLT.tmp Setup.tmp File created C:\Windows\SysWOW64\is-1BI2Q.tmp Setup.tmp File opened for modification C:\Windows\SysWOW64\FlyCapture2_v140.dll Setup.tmp File opened for modification C:\Windows\SysWOW64\ArtemisSyn.dll Setup.tmp File opened for modification C:\Windows\SysWOW64\lucamapi.dll Setup.tmp File created C:\Windows\SysWOW64\is-6E94R.tmp Setup.tmp File created C:\Windows\SysWOW64\is-I6D79.tmp Setup.tmp File created C:\Windows\SysWOW64\is-FF2HL.tmp Setup.tmp File created C:\Windows\SysWOW64\is-DRTSO.tmp Setup.tmp File created C:\Windows\SysWOW64\is-6IVED.tmp Setup.tmp File created C:\Windows\SysWOW64\is-OD0V0.tmp Setup.tmp File opened for modification C:\Windows\SysWOW64\Atik.Core.dll Setup.tmp File opened for modification C:\Windows\SysWOW64\avformat-57.dll Setup.tmp File created C:\Windows\SysWOW64\is-0EV9R.tmp Setup.tmp File created C:\Windows\SysWOW64\is-HBD75.tmp Setup.tmp File opened for modification C:\Windows\SysWOW64\FlyCapture2_v90.dll Setup.tmp File opened for modification C:\Windows\SysWOW64\swscale-4.dll Setup.tmp File opened for modification C:\Windows\SysWOW64\synsss32.dll Setup.tmp File opened for modification C:\Windows\SysWOW64\haspms32.dll Setup.tmp File created C:\Windows\SysWOW64\is-444MP.tmp Setup.tmp File created C:\Windows\SysWOW64\is-7OD3M.tmp Setup.tmp File created C:\Windows\SysWOW64\is-O28KQ.tmp Setup.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-KBE1A.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-3MHNT.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-COKLH.tmp Setup.tmp File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\fr-FR\ProtoCOL3.resources.dll Setup.tmp File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\zh-CHS\ProtoCOL3.resources.dll Setup.tmp File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\zh-CHS\Synoptics.resources.dll Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-RMQVT.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-38U62.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-VA0LQ.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\x86\is-IQ4H1.tmp Setup.tmp File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\ko-KR\Synoptics.resources.dll Setup.tmp File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\en-US\Synoptics.resources.dll Setup.tmp File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtoCOL3Spy.exe Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-QV5HT.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-25KHI.tmp Setup.tmp File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\ExcelLibrary.dll Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-VCQIC.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-HDH9E.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-RCJ24.tmp Setup.tmp File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\Synoptics.dll Setup.tmp File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\x86\liblept168.dll Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-MGR64.tmp Setup.tmp File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\PdfSharp.dll Setup.tmp File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\PdfSharp.Charting.dll Setup.tmp File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\cli_basetypes.dll Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-3QRNG.tmp Setup.tmp File created \??\c:\Program Files (x86)\Microsoft Chart Controls\Assemblies\System.Windows.Forms.DataVisualization.Design.dll msiexec.exe File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\ReportLibrary.dll Setup.tmp File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\EPPlus.dll Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-9ETMD.tmp Setup.tmp File created \??\c:\Program Files (x86)\Microsoft Chart Controls\Assemblies\System.Windows.Forms.DataVisualization.dll msiexec.exe File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\GeneralMatrix.dll Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-SS5SK.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-VSHCR.tmp Setup.tmp File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\Synoptics.DMXLib.dll Setup.tmp File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtocolCameraTool.exe Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-QSNCI.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\ja-JP\is-D98BF.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-H0NGG.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-27MAH.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\ru-RU\is-IKQSE.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-C8EF1.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-3PRAO.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-UDOBV.tmp Setup.tmp File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\ja-JP\Synoptics.resources.dll Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-Q6ME1.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-C78A7.tmp Setup.tmp File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\DatabaseUpdater.exe Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-VROUC.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-NSS5S.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-02INH.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-LUUV0.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-V9MLN.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-0HPLE.tmp Setup.tmp File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\MigraDoc.RtfRendering.dll Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-5RB8F.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-RUN07.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-VVU0L.tmp Setup.tmp File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\Synoptics.Controls01.dll Setup.tmp File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\fr-FR\Synoptics.resources.dll Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-4JA5L.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-J77VQ.tmp Setup.tmp File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-HLD5F.tmp Setup.tmp File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtoCOL3.exe Setup.tmp -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112927072.0 msiexec.exe File opened for modification \??\c:\Windows\Installer\e57d0d2.msi msiexec.exe File created C:\Windows\Installer\SourceHash{9A25302D-30C0-39D9-BD6F-21E6EC160475} msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927088.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927103.0\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927134.0\9.0.30729.1.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927072.0\9.0.21022.8.policy msiexec.exe File opened for modification \??\c:\Windows\Installer\ msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\mfc90esn.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927088.0\msvcp90.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112927119.0 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927119.1\9.0.30729.1.cat msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112927150.0 msiexec.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057\9.0.30729\FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8 msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112927134.0 msiexec.exe File created C:\Windows\Installer\SourceHash{41785C66-90F2-40CE-8CB5-1C94BFC97280} msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927103.0\mfc90.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\mfc90deu.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\mfc90fra.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927103.0\mfcm90u.dll msiexec.exe File created C:\Windows\assembly\tmp\8A23OZLL\System.Web.DataVisualization.Design.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927056.0\atl90.dll msiexec.exe File created \??\c:\Windows\Installer\e57d0d1.msi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\mfc90ita.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927150.1\9.0.30729.1.policy msiexec.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057\9.0.30729 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927103.0\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\mfc90jpn.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927103.0\mfcm90.dll msiexec.exe File opened for modification C:\Windows\Installer\MSI1AA8.tmp msiexec.exe File created C:\Windows\assembly\tmp\94798G57\System.Windows.Forms.DataVisualization.dll msiexec.exe File created C:\Windows\assembly\tmp\XGMS1MWW\System.Windows.Forms.DataVisualization.Design.dll msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\mfc90enu.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112927056.0 msiexec.exe File created \??\c:\Windows\Installer\e57d0d2.msi msiexec.exe File created C:\Windows\assembly\tmp\WBW3UUCV\System.Web.DataVisualization.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927056.1\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\mfc90kor.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927088.0\msvcm90.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112927056.1 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927056.1\vcomp90.dll msiexec.exe File created \??\c:\Windows\Installer\e57d0cd.msi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927056.1\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927056.0\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\mfc90esp.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\mfc90rus.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\mfc90chs.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927134.0\9.0.30729.1.policy msiexec.exe File created \??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057\9.0.30729\FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8 msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112927088.0 msiexec.exe File opened for modification \??\c:\Windows\Installer\e57d0cd.msi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927088.0\msvcr90.dll msiexec.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927056.0\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927150.0\9.0.30729.1.policy msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112927103.0 msiexec.exe File created C:\Windows\assembly\GACLock.dat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927103.0\mfc90u.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112927150.1 msiexec.exe File opened for modification C:\Windows\Installer\MSID39C.tmp msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927072.0\9.0.21022.8.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03.cat msiexec.exe -
Executes dropped EXE 13 IoCs
pid Process 1212 Setup.tmp 1564 vc9redist_x86.exe 2084 install.exe 848 vc12redist_x86.exe 2584 vc12redist_x86.exe 4136 vc13redist_x86.exe 3468 vc13redist_x86.exe 868 vc19redist_x86.exe 3692 vc19redist_x86.exe 2296 MSChart.exe 4160 SPInstaller.exe 4440 DatabaseUpdater.exe 2432 ProtoCOL3.exe -
Loads dropped DLL 64 IoCs
pid Process 1212 Setup.tmp 1212 Setup.tmp 2084 install.exe 2584 vc12redist_x86.exe 3468 vc13redist_x86.exe 3692 vc19redist_x86.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SPInstaller.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz SPInstaller.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4CEC008D-D9A5-11CF-AB39-0020AF71E433}\VersionIndependentProgID\ = "IO.IOPoint" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOColorStatistics.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BFB758-5FDB-11CF-882D-444553540000}\TypeLib\ = "{C0BFB74B-5FDB-11CF-882D-444553540000}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39D6207C-6D26-11D4-B35E-0080C8D9F878}\TypeLib\ = "{95CBADD0-EE34-11D4-B386-0080C8D9F878}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD2B08A5-50CC-491B-A1D7-E4433F3C65E9} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59B23FE2-A814-11CF-9EC7-444553540000} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CAE70E8-CE5B-4C9A-ACDC-898858F490DF}\ = "IIO3DDisplayDraw" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF0F4952-D2E9-4175-87FE-6FE90180AD52}\AppID = "{73FB929C-6F2C-4EA4-90EF-34FC172D7DD8}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C755DFC9-ED9D-48C0-AF7B-CD8258563DB4}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{64E3F5AD-92CD-4C33-9239-A1D4A766AA94}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EA90F61-EBA4-11CF-9EC8-444553540000}\ = "IOColorStatistics Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8102DCBF-1143-4358-830B-CC961E2E3D13}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27FCFFD3-942C-4FF4-86B8-9DD716AF22EF}\TypeLib\Version = "1.4" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lumenera.LumeneraCamera\ = "LumeneraCamera Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOPoints.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7EAFE56C-D6A6-4BC0-BDB3-606AEE5B20B6}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{E88B860B-0E6B-4DAA-A443-84EF57C55C3A} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{73781EB2-4FF5-4F9A-A43B-78D923B80B10}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C0BFB759-5FDB-11CF-882D-444553540000}\ProgID\ = "IO.IOImage.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7275760-F05C-11CF-9EC8-444553540000}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63EA5BB8-3F41-4ECD-9338-EE8A64A1E592}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{683D6E19-BEEF-4A73-9A51-4B93ECAB6EB4}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08B93C42-BAB3-424F-AF8A-D59338E96531}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5535384A-2432-454E-9450-D147180CA3A4}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3777908-3350-41DB-8292-5AAD41A4F26D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8AE898D3-206B-4299-BA13-0CF2B8E94546}\TypeLib\Version = "1.4" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FocusIndicator.FocusCalculator.1\CLSID\ = "{5535384A-2432-454E-9450-D147180CA3A4}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{04EAC770-E24A-11D4-B37E-0080C8D9F878}\TypeLib\Version = "1.4" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{858B0163-ED5F-11D0-8808-0040950397EE}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5535384A-2432-454E-9450-D147180CA3A4}\TypeLib\ = "{878CF29D-B8CC-4124-84D4-DDF5EB3DC645}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57F82446-0C90-11D5-9E9B-0080C8ECB1E3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4EA90F60-EBA4-11CF-9EC8-444553540000}\TypeLib\Version = "2.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOColorStatistics\CLSID\ = "{4EA90F61-EBA4-11CF-9EC8-444553540000}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{325A17C6-60A1-11CF-882D-444553540000}\NumMethods\ = "25" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F8267752-4AB6-4D3B-A4D9-693A4EEEC82E}\ = "IIOLensControl" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOPoint.1\ = "IOPoint Class" regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.CRT,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004300520054005f007800380036003e006b0027005600490037006f00520050007e00370055003d006f0029006d00730026002c003300420000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\Servicing_Key msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOPoint.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{42D186E4-39C8-4E99-BA46-30D92A414F70}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{42D186E4-39C8-4E99-BA46-30D92A414F70}\InprocServer32\ = "C:\\Windows\\SysWow64\\ExposeControl.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64E3F5AD-92CD-4C33-9239-A1D4A766AA94} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A0044421-FA07-4EA4-85C2-444B0639AFEE}\ = "IIOGrabCameraID" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FocusIndicator.FocusBar\CLSID\ = "{E3603690-D7DC-462C-A62B-6C645640A1AE}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4CEC008D-D9A5-11CF-AB39-0020AF71E433}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8CB56E7C-8FBA-44B7-AC5C-0E3643A2F8E0}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59B23FE0-A814-11CF-9EC7-444553540000}\TypeLib\Version = "2.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7EAFE56C-D6A6-4BC0-BDB3-606AEE5B20B6} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F8267752-4AB6-4D3B-A4D9-693A4EEEC82E}\ = "IIOLensControl" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F956166C-B960-485A-B091-6D507A1CB1D2}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOVector.1\CLSID\ = "{B7275761-F05C-11CF-9EC8-444553540000}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOAnnotations\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C0BFB756-5FDB-11CF-882D-444553540000}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28079A20-D575-11D2-B948-0080C8276C2D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30EF06CF-2101-4A07-BED2-C9314346ADA6}\TypeLib\ = "{95CBADD0-EE34-11D4-B386-0080C8D9F878}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOAnnotation\ = "IOAnnotation Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lumenera.LumeneraCamera.1\ = "LumeneraCamera Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B21954DF-C555-11D4-B373-0080C8D9F878}\Categories\Cameras\ = "Cameras" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F8267752-4AB6-4D3B-A4D9-693A4EEEC82E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1008EEB1-D863-4E4C-9ECA-1BD2C13C5276} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59B23FE1-A814-11CF-9EC7-444553540000}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39D6207C-6D26-11D4-B35E-0080C8D9F878}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{42D186E4-39C8-4E99-BA46-30D92A414F70}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\ExposeControl.dll, 101" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5F47BFA-D64C-4CE6-B2CA-44FD8CDF1DB6}\Info\Type = "1" regsvr32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD ProtoCOL3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f ProtoCOL3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f ProtoCOL3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f ProtoCOL3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f ProtoCOL3.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2344 msiexec.exe 2344 msiexec.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 4160 SPInstaller.exe 2344 msiexec.exe 2344 msiexec.exe 1212 Setup.tmp 1212 Setup.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2084 install.exe Token: SeIncreaseQuotaPrivilege 2084 install.exe Token: SeSecurityPrivilege 2344 msiexec.exe Token: SeCreateTokenPrivilege 2084 install.exe Token: SeAssignPrimaryTokenPrivilege 2084 install.exe Token: SeLockMemoryPrivilege 2084 install.exe Token: SeIncreaseQuotaPrivilege 2084 install.exe Token: SeMachineAccountPrivilege 2084 install.exe Token: SeTcbPrivilege 2084 install.exe Token: SeSecurityPrivilege 2084 install.exe Token: SeTakeOwnershipPrivilege 2084 install.exe Token: SeLoadDriverPrivilege 2084 install.exe Token: SeSystemProfilePrivilege 2084 install.exe Token: SeSystemtimePrivilege 2084 install.exe Token: SeProfSingleProcessPrivilege 2084 install.exe Token: SeIncBasePriorityPrivilege 2084 install.exe Token: SeCreatePagefilePrivilege 2084 install.exe Token: SeCreatePermanentPrivilege 2084 install.exe Token: SeBackupPrivilege 2084 install.exe Token: SeRestorePrivilege 2084 install.exe Token: SeShutdownPrivilege 2084 install.exe Token: SeDebugPrivilege 2084 install.exe Token: SeAuditPrivilege 2084 install.exe Token: SeSystemEnvironmentPrivilege 2084 install.exe Token: SeChangeNotifyPrivilege 2084 install.exe Token: SeRemoteShutdownPrivilege 2084 install.exe Token: SeUndockPrivilege 2084 install.exe Token: SeSyncAgentPrivilege 2084 install.exe Token: SeEnableDelegationPrivilege 2084 install.exe Token: SeManageVolumePrivilege 2084 install.exe Token: SeImpersonatePrivilege 2084 install.exe Token: SeCreateGlobalPrivilege 2084 install.exe Token: SeBackupPrivilege 5000 vssvc.exe Token: SeRestorePrivilege 5000 vssvc.exe Token: SeAuditPrivilege 5000 vssvc.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2084 install.exe 2084 install.exe 2584 vc12redist_x86.exe 3468 vc13redist_x86.exe 1212 Setup.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4832 wrote to memory of 1212 4832 Setup.exe 87 PID 4832 wrote to memory of 1212 4832 Setup.exe 87 PID 4832 wrote to memory of 1212 4832 Setup.exe 87 PID 1212 wrote to memory of 1564 1212 Setup.tmp 92 PID 1212 wrote to memory of 1564 1212 Setup.tmp 92 PID 1212 wrote to memory of 1564 1212 Setup.tmp 92 PID 1564 wrote to memory of 2084 1564 vc9redist_x86.exe 93 PID 1564 wrote to memory of 2084 1564 vc9redist_x86.exe 93 PID 1564 wrote to memory of 2084 1564 vc9redist_x86.exe 93 PID 1212 wrote to memory of 848 1212 Setup.tmp 101 PID 1212 wrote to memory of 848 1212 Setup.tmp 101 PID 1212 wrote to memory of 848 1212 Setup.tmp 101 PID 848 wrote to memory of 2584 848 vc12redist_x86.exe 102 PID 848 wrote to memory of 2584 848 vc12redist_x86.exe 102 PID 848 wrote to memory of 2584 848 vc12redist_x86.exe 102 PID 1212 wrote to memory of 4136 1212 Setup.tmp 104 PID 1212 wrote to memory of 4136 1212 Setup.tmp 104 PID 1212 wrote to memory of 4136 1212 Setup.tmp 104 PID 4136 wrote to memory of 3468 4136 vc13redist_x86.exe 105 PID 4136 wrote to memory of 3468 4136 vc13redist_x86.exe 105 PID 4136 wrote to memory of 3468 4136 vc13redist_x86.exe 105 PID 1212 wrote to memory of 868 1212 Setup.tmp 106 PID 1212 wrote to memory of 868 1212 Setup.tmp 106 PID 1212 wrote to memory of 868 1212 Setup.tmp 106 PID 868 wrote to memory of 3692 868 vc19redist_x86.exe 107 PID 868 wrote to memory of 3692 868 vc19redist_x86.exe 107 PID 868 wrote to memory of 3692 868 vc19redist_x86.exe 107 PID 1212 wrote to memory of 2296 1212 Setup.tmp 108 PID 1212 wrote to memory of 2296 1212 Setup.tmp 108 PID 1212 wrote to memory of 2296 1212 Setup.tmp 108 PID 2296 wrote to memory of 4160 2296 MSChart.exe 109 PID 2296 wrote to memory of 4160 2296 MSChart.exe 109 PID 2296 wrote to memory of 4160 2296 MSChart.exe 109 PID 1212 wrote to memory of 3632 1212 Setup.tmp 110 PID 1212 wrote to memory of 3632 1212 Setup.tmp 110 PID 1212 wrote to memory of 3632 1212 Setup.tmp 110 PID 3632 wrote to memory of 2636 3632 cmd.exe 112 PID 3632 wrote to memory of 2636 3632 cmd.exe 112 PID 3632 wrote to memory of 2636 3632 cmd.exe 112 PID 2636 wrote to memory of 2276 2636 net.exe 113 PID 2636 wrote to memory of 2276 2636 net.exe 113 PID 2636 wrote to memory of 2276 2636 net.exe 113 PID 1212 wrote to memory of 2364 1212 Setup.tmp 114 PID 1212 wrote to memory of 2364 1212 Setup.tmp 114 PID 1212 wrote to memory of 2364 1212 Setup.tmp 114 PID 2364 wrote to memory of 4788 2364 cmd.exe 116 PID 2364 wrote to memory of 4788 2364 cmd.exe 116 PID 2364 wrote to memory of 4788 2364 cmd.exe 116 PID 4788 wrote to memory of 1416 4788 net.exe 117 PID 4788 wrote to memory of 1416 4788 net.exe 117 PID 4788 wrote to memory of 1416 4788 net.exe 117 PID 1212 wrote to memory of 1764 1212 Setup.tmp 119 PID 1212 wrote to memory of 1764 1212 Setup.tmp 119 PID 1212 wrote to memory of 1764 1212 Setup.tmp 119 PID 1212 wrote to memory of 5024 1212 Setup.tmp 120 PID 1212 wrote to memory of 5024 1212 Setup.tmp 120 PID 1212 wrote to memory of 5024 1212 Setup.tmp 120 PID 1212 wrote to memory of 4916 1212 Setup.tmp 121 PID 1212 wrote to memory of 4916 1212 Setup.tmp 121 PID 1212 wrote to memory of 4916 1212 Setup.tmp 121 PID 1212 wrote to memory of 1560 1212 Setup.tmp 122 PID 1212 wrote to memory of 1560 1212 Setup.tmp 122 PID 1212 wrote to memory of 1560 1212 Setup.tmp 122 PID 1212 wrote to memory of 1168 1212 Setup.tmp 123 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp" /SL5="$8011E,110133280,125952,C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc9redist_x86.exe"C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc9redist_x86.exe" /QB3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\baae18ae73fa398b245866\install.exec:\baae18ae73fa398b245866\.\install.exe /QB4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2084
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc12redist_x86.exe"C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc12redist_x86.exe" /passive3⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc12redist_x86.exe"C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc12redist_x86.exe" /passive -burn.unelevated BurnPipe.{934C1F13-F3D8-4E56-A1BB-1DEB1130E9B9} {19C77368-7F0B-4F78-BF9E-879E4CDC1225} 8484⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2584
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc13redist_x86.exe"C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc13redist_x86.exe" /passive3⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc13redist_x86.exe"C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc13redist_x86.exe" /passive -burn.unelevated BurnPipe.{D76531FB-ECA7-4E02-828E-0ACAA6A771D7} {97B1AB6D-97ED-4CB9-A6BF-309BE1B2823E} 41364⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:3468
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc19redist_x86.exe"C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc19redist_x86.exe" /passive3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\Temp\{897C4252-F799-4486-92FA-14C2366DFE88}\.cr\vc19redist_x86.exe"C:\Windows\Temp\{897C4252-F799-4486-92FA-14C2366DFE88}\.cr\vc19redist_x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc19redist_x86.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /passive4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3692
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\MSChart.exe"C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\MSChart.exe" /passive3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\4a051f497f7543617520ac\SPInstaller.exec:\4a051f497f7543617520ac\SPInstaller.exe /passive4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4160
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "net stop ArtemisHscServiceMonitor"3⤵
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\net.exenet stop ArtemisHscServiceMonitor4⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ArtemisHscServiceMonitor5⤵PID:2276
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "net stop ArtemisHscService"3⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\net.exenet stop ArtemisHscService4⤵
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ArtemisHscService5⤵PID:1416
-
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\DMX.dll"3⤵
- Modifies registry class
PID:1764
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\io.dll"3⤵
- Modifies registry class
PID:5024
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\iograbberinterfaces.olb"3⤵
- Modifies registry class
PID:4916
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\FocusIndicator.dll"3⤵
- Modifies registry class
PID:1560
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\ExposeControl.dll"3⤵
- Modifies registry class
PID:1168
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\lumenera.dll"3⤵
- Modifies registry class
PID:4088
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\GenericDarkroom.olb"3⤵
- Modifies registry class
PID:2184
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\ioArt.dll"3⤵
- Modifies registry class
PID:4076
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\ioPointGrey.dll"3⤵PID:312
-
-
C:\Windows\SysWOW64\NET.exe"NET" LOCALGROUP "ProtoCOL Admins" /ADD /COMMENT:"The administration group for ProtoCOL"3⤵PID:372
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 LOCALGROUP "ProtoCOL Admins" /ADD /COMMENT:"The administration group for ProtoCOL"4⤵PID:4464
-
-
-
C:\Windows\SysWOW64\NET.exe"NET" LOCALGROUP "ProtoCOL Advanced Users" /ADD /COMMENT:"The advanced user group for ProtoCOL"3⤵PID:4460
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 LOCALGROUP "ProtoCOL Advanced Users" /ADD /COMMENT:"The advanced user group for ProtoCOL"4⤵PID:2260
-
-
-
C:\Windows\SysWOW64\NET.exe"NET" LOCALGROUP "ProtoCOL Users" /ADD /COMMENT:"The user group for ProtoCOL"3⤵PID:820
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 LOCALGROUP "ProtoCOL Users" /ADD /COMMENT:"The user group for ProtoCOL"4⤵PID:1908
-
-
-
C:\Program Files (x86)\Synbiosis\ProtoCOL3\DatabaseUpdater.exe"C:\Program Files (x86)\Synbiosis\ProtoCOL3\DatabaseUpdater.exe" /install3⤵
- Executes dropped EXE
PID:4440
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtoCOL3.exe"C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtoCOL3.exe"1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2432
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5075bfb4c71d2fb11b644eaabd8b64a01
SHA1479b6189ca547e6e2926fca014561619766bf8d7
SHA2562a99618b7d7416d86ea55dad961e785688979acb578ba85851c0b9a6dfe41a58
SHA5129230dd2d4956edf6dffa179a0e22bef3ef8432f6d09291c8e3f9db82db5f49bf39fe4faf1ef58f41947085b4e8fe129c0a8919d584bc97d784cd8b320ad91665
-
Filesize
14KB
MD5c3a578eeb6d1fe943a52f7e1f8a98142
SHA16e0b3d8b918dd61dfc950090cbedf206de95b4d4
SHA256a75a574826f056ab1d984874ee0dd33c2ea7a8ded0ceb7533a05ef52028a65e4
SHA51222011e3485fd84fa00c30374a4e59144403a63d7b073ec5678fa1b0eeb77a850158ef21ad4e1da5fe05c9e23b40399170ea1870515efb2e5ad28b4459a110767
-
Filesize
4.5MB
MD5827af659355b680117fdbdc542edc328
SHA12197dd695f2e561387665caa512b3113312d8c7a
SHA256b617e1f86ef1df71f60811340ed1160cacf69399e7736d641ee9095c1477ac0c
SHA512dddf5940607cad8f68e0f581ae14b0c734089587d082afa3c92aa6109b46b7c11e9c362047ffa70799bc20ab39ff0fbcd85c0168d18af64922ccf832f95ec11b
-
Filesize
618B
MD5ed8339dcfa1167a5042770c73a5641dc
SHA1f6cf19c148f67c514eddc9946defe7c8eb5a36b5
SHA256e9c480dd9637882b633d1e0b01431d27183b4f94be88d84c7b92c36ff9a342b1
SHA512a96faff093ad21c6c4ee5a429073d8517dbe179e06178f0c589f1570b99029351eb38e86f8c24323d012fde4e4d43afc5bcf8526ab9d7085d06483e870ffa43c
-
Filesize
16KB
MD53fb443021b7cc775653091fbda3f0485
SHA18d9902c5025fc05e264afbd26d8cc8fa84ef713f
SHA256dc32ddb61a8d542f16f9acbfe26ced213ab847dd606c934a22beb2dd034b74d3
SHA512d7426d5db8a37e970ff61dab3b69e6fdcfd8881c5c62e45b9cc5b9f49286af237f6a55e5bf82e11f5c9cb2d3c3332d922c7d8fdd4e12cd31bcf4f116e233957a
-
Filesize
392B
MD59bf58dcaaa3425beb2bc296bc7f73e80
SHA10768dd256915835aeb4363bf48ba414fc57407f2
SHA256771e518b8a00f296cabed0960be3bf6a9e942fad1f6b98c2e637f454553c707c
SHA512fca6fc24858b7ff799f0a3ec6fdc968f7953625350d68298205b2e07845a90d4eb9c609cbb501eb59ebf5976d1c37c5484d1ed6c82334784edc705dcea39ecf2
-
Filesize
2KB
MD5a55df22b32b19c4d96d5339c358739c2
SHA18b95c133c5da7a5bc179697b104dc7bc101f1098
SHA256559a984cce25afd5491a56334b86cf27378a0ec904d07c6e08cb7bc5f52ef315
SHA512589f59e4707890888d44de6fe731138eccc5513bf606e378b59cf72ca770406f747d86085eebacce00e9e71a3550734af05e82039b2e11e4503be98a766ca2e5
-
Filesize
1.8MB
MD5e7605df8e1a6ef547c2f77a304de8848
SHA1776c876430e692c702a8eabed9c89d1ad94d5927
SHA25695ca5aaa5e9b19dc55127bf89a32abec4f72c4ae03495e461d251a6ecfbeed92
SHA51258c3ea86fb722bcbe074f634901650ec19262d47a42f9011fbae4e57fd80bdca797cd20d849f382da2671eb9eec52883a15a6ee017483d803c7aab46f029ac18
-
Filesize
23KB
MD577d6d961f71a8c558513bed6fd0ad6f1
SHA1122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a
SHA2565da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0
SHA512b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a
-
Filesize
6.3MB
MD57f52a19ecaf7db3c163dd164be3e592e
SHA196b377a27ac5445328cbaae210fc4f0aaa750d3f
SHA256b924ad8062eaf4e70437c8be50fa612162795ff0839479546ce907ffa8d6e386
SHA51260220a7c9de72796bd0d6d44e2b82dbdd9c850cc611e505b7dc0213f745ff1f160b2d826eaf62fd6e07c1a31786a71d83dc6e94389690fd59b895e85aba7444b
-
Filesize
6.2MB
MD599e3d99d8ed70ac88f59e31757ed3d62
SHA118f81495bc5e6b293c69c28b0ac088a96debbab2
SHA256bbc26aca42cd311a0e1ea1356852f061d863af047f1891ac9952ab7e7cb8e04f
SHA51234ff42d09d1738df912823fcb8c16ab28927415f736f0a49779f9eddf0e2fe36682fa3d021414b4751532b0d385aa513290f6c44c48936500c9a58b332fc147c
-
Filesize
13.6MB
MD535b40b21383ac38487ceec8ab6e53565
SHA159894bd9c96361b475c3b4b7ca9719c72e813d04
SHA256caa38fd474164a38ab47ac1755c8ccca5ccfacfa9a874f62609e6439924e87ec
SHA5123a00b40ba8cd1cf8a523efab656f5b8910a3b07f9d8fba4ffc07745165b6375affd77b00fd3064fa72fb984c1773438a39e67a55363be23dd8fe1727c1016b8e
-
Filesize
4.0MB
MD55689d43c3b201dd3810fa3bba4a6476a
SHA16939100e397cef26ec22e95e53fcd9fc979b7bc9
SHA25641f45a46ee56626ff2699d525bb56a3bb4718c5ca5f4fb5b3b38add64584026b
SHA5124875134c664503242ec60717232f2917edca20286fc4b675223edbbe5dc0239ebfaf8f67edd76fedcaa2be5419490dc6f47930ca260e6c9988ccf242416c204b
-
Filesize
1.1MB
MD5898d42b5939b4bbc6057c4a85c4e0cfb
SHA1219fc6d4f8f82260f1a9194f262770e2b3509339
SHA256acb1db9d7755b12718c02acc9d10660046fc39626e000f763e037a06e52719ea
SHA5127c36c852e0b6288267a28323e34f60dd3c7799982def2c3e9d86848c3967ad64ad043ecfcef7a7eb3232739279cc53b0fd98945b7321647373bdc955ca410d43
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
126KB
MD5d7bf29763354eda154aad637017b5483
SHA1dfa7d296bfeecde738ef4708aaabfebec6bc1e48
SHA2567f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93
SHA5121c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c
-
Filesize
117KB
MD5fb45cc1b78259a878ccc2247d4ceb68c
SHA10be045e040f9cffdc2baf021c320abcb471439be
SHA25687644901a31aa7ee1f61e5906d225491846563eb4a53a302fa337c4ec25e3714
SHA512c9fdb0019b3b0a7c5c97aa5ea880d7b1522496dc09b097f777233352589a43f2564c0a2fe4fbcfc95c9b70720e0ac1b97b369def65352302ab5a4863ab9fa43b
-
Filesize
444KB
MD5e6d5fb03f157f33376e9d8a1055ed70a
SHA1541add9491f98277163c822390d7c8da07754ae0
SHA25652a0948253c8120a6e1f96f717978270bbd2d07c0ce46c5f2b8b8ffa7a967494
SHA51251298ec2dde1d8ec6956cee8dce75572fc85217f49e071867a8a2987071e595db03bf1e1b8a4e7b5439d9383fc0daa89dedeb1573aba8ce32aa4c24bf28d1a75
-
Filesize
39KB
MD5a497584d5356ece498183eaf9fb353a3
SHA1a0d1400b0ee1492b96d5d15972050500a0a7f7a2
SHA25613c8e09908cc076d93ec3f7ade0b9127fc9d38763ea90f8a5d83c57d835c2582
SHA512e694c97baa54a642df34385e720f1658392dd7bf87a4d8b0d5332ff41c6b1577d452041e90edaf0b8b459a4da6f867102f5c0cb9273091a806a504f7e07b0152
-
Filesize
2KB
MD5fbfcbc4dacc566a3c426f43ce10907b6
SHA163c45f9a771161740e100faf710f30eed017d723
SHA25670400f181d00e1769774ff36bcd8b1ab5fbc431418067d31b876d18cc04ef4ce
SHA512063fb6685ee8d2fa57863a74d66a83c819fe848ba3072b6e7d1b4fe397a9b24a1037183bb2fda776033c0936be83888a6456aae947e240521e2ab75d984ee35e
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
Filesize
632KB
MD586123c033231dd7e427d619ddeefd26a
SHA1608c085348fd9c4e124e6f28f0388ccdac6ab2b5
SHA256d863fb2f65bb6eea492e79ab9d09a53cc226e85f57d6545cb82f60b122a4b737
SHA512ffb574123b350d3c9434abc88baa050ae6e54b5b9ebf3f1dcf4bf079284135696004508653e74a3a3c2fa8e4c1b681c3f31d5fe69e0f0c5f45ed37f9ddc61e78
-
Filesize
80KB
MD568921811aae9fc8c544274a580369483
SHA18f113e1f286c43d8037d58d7047ffc9196e12e05
SHA25641552906188914f8b781315751ed105acc8ccbdcd160baecb7f88ce4caf23923
SHA512fb6fe53638b02b6a326ace5dd506302a8b5c32f728a99e4725a701b069605f2f1b3e8ef6d0bf870dcc248fa72c109f0d9a509ae7cfbf4ba17f9bac50e6c970cd
-
Filesize
1.7MB
MD54eb366f068876656057fccb2b5360fdb
SHA15ca25be2e5fd5205971c931c30ee52bd1855ed05
SHA2569d193f4ac582a024e9c8a386717944e82d281e30b30bd1b3b4d015dcb52a5d56
SHA512177a0c7f8ac5526ca8622447816412a91c2ff1c6933b6f67bfe3bae4aa9cafd81b787bbc8df106ae96167f1e6f1cdf63ab7b3ed81f9a1370f23af05259abe7dc
-
Filesize
1.6MB
MD56502f885536ef34d3011acec9021b4a2
SHA14ae4723cd4c36c82bf85737580ac29832756a871
SHA256ee4b416f47e919459134253dc7429993a3f33bb31fad9e6fb95a16bf4fd3995d
SHA512e6d68d84c51b11c874eda91a49d67a0ebb4f2221e4531c1aa971178978deb08a16914c7a97e4b8a85af8642aa7ef50b1b4a87ada51d09cdb3e959c5d08106602
-
Filesize
72KB
MD5f9ce119437c7c56eda862b412f5b7dfd
SHA1092dfc99d44b3d1ff9ef2af7e2a80b7941ff0131
SHA25649248d90a581d2e9933b1013b7f2aef8346f6da297851c9215ac45f8fe9fd857
SHA512c8ba2f65c040946c26657d4e939ff2b069b806c6adde938a1b5971432df6b3796abb23c1bf9722b1e1483480fa488a42642b71c1e71d909a57d134088eabf620
-
Filesize
549KB
MD533c9213ff5849ef7346799cae4d8ac80
SHA15421169811570171e9d2d0a1cdca9665273e7b59
SHA2563377e31d233ff41aea253e6221815820997763acdf40b005f8791400366cb8ff
SHA512da0fc3f57156e06c0c37c1fb5176e1b147ce4aa21f519112123722496b04ad4bc3d366e2b51fd78de1ba0304d35bfd5e5fc95cabc2b3eb174f77636a8fa162a1
-
Filesize
50KB
MD54cea15e2da2d63993363ff4f4d6e7c48
SHA15d753d5b72abfe1ca202ad8ed4db60da9d5ae0bf
SHA2563a95d2f43ce9727cfc61b68f27f2217e9098e793f01ea1439de62005bbdb55d6
SHA51271700bc823dcbc8333550dab555acfa42bb4a7d6eb15564fb639bfa829b56f8549be125c5679c9f65db9b958c8f924504cae1c8c5ac1377307fd76aa504bd5c7
-
Filesize
16KB
MD5ed37a53d539007fec2ff78bbfc449ec8
SHA1a59b06a2544e612b8c712ebb0e29705922704156
SHA256b5f71fb8b34fb75a1a89251b5de3b22c25232ab84c6a392c85f738d75de86678
SHA512921a5e8d68b39019657153b371cbce0fda8b842dca89889a4f11a8187344b2ada74dbf863f8d0f9a9dc7837af11c7e0f94cc5a8fba0d5e8c449758482af8adf9
-
Filesize
14KB
MD560194fff32d63effec5a298a3de26da1
SHA1f149a86d77e56127b9a3721e85e69066638ed92b
SHA25666a4a89410cba0b00035e0356120187c1aaf0e2a13787811a782a26d1a832c1d
SHA512d2bd136593267f0ef9c8a31ea243f5020d56cbbfc2d4f66de8340aeab4eefd42e2c3f85888736d20623fe365ceb735d6554547fbb7c19d1ee76cf25796327c05
-
Filesize
2KB
MD58d82e881132076df04aa63ee0469017d
SHA1941214a5e8082f5dae9fc61dcfe2737045fdc7b0
SHA256e1ad3bdb0caeca027126cb8925f19efb504444a12a000a99e97a4bd75290f89b
SHA512049345de531f5f5b47aa5ae2aa3f4a90e1ba0f91c24a8e94fdcf5f0e4b5e07ec76c7ce1f6fb47ee36616900df455458576225c0a7bd23025315853c5b9ace19d
-
Filesize
579KB
MD57c071bc63b58519d2712a13337055fc7
SHA1e27822a2e785ba0b64d1b6f14035f2fe2ccf6eb5
SHA256d89494e63910cfc528139a0304555577638da38b5258bdfd22aa86300e00fc8a
SHA512fa86c69bd79bea703ac218ac5e4d3a18b2c9de66f29458e59f502708c4f28eb57743672c3bf20ec97eeed7bce99568a9290bbe46107d9ea968f46452fb41a66a
-
Filesize
232KB
MD5c99e0fa0933efc3658dd02525b43fdd7
SHA13cdd7b8d22f2d8519f5544b7f12ac30a2268a5b9
SHA2567eaf337bcb544eaa50b46c114cfde2d21954299e5b84fade03dc37c15d1b00ab
SHA5129b4187863e7057e1f250ed1e0a616e2a4746b11ef4f0ae4b017d2c2cf7dab23de030e12f54ca74edb18427bd009d03e465b6687603344ccab9bd2f3f8aa3772f
-
Filesize
10KB
MD5bcd1b1b5fd79f3be496c430480a72096
SHA1db0a33a1c11c65e9b7a7960ae9737b87f2ef6406
SHA256918d468ecc579e74209643b4a1e16afa5b918b1c3b2fb509ac4c5d01a24aed0e
SHA512a15d831023d4204070137a9381280880236c916369b41b0a6c444c334b10680df45756554dcc97a65a6a88dd5ca67672803baa9ea14513fa357c2a98c371385f
-
Filesize
139KB
MD589e2c7e8af95c3cd3209ed67837d882f
SHA1def626501cf2d8bacfed0ef3c2f6137a6af0d138
SHA256f19eaba1f8e6c28215d93481ddfa37767390500c70ea5cc06d747eb1132b41dd
SHA5120b6155c1413ad48c4a1665a7aa87ec004e860c2da2d6cad96ec4b9436e9ff649e5cd807895730f2f49aecd5ba7a1f6bf83d0e47e58b504983033a2bd2ddc9a01
-
Filesize
3.7MB
MD5ecca3c1acb74cb73c600eabdd3f9c9d9
SHA1f015759f623c377494a5996670204f1fcd0895e3
SHA25643b7648183347374236296f2176c7c7da920da9c1a08adda761e12614efb299e
SHA5122785b8e8cfc310ec114cee696c5b85900fc71186dcbf0c99a9c13f4f0fdcc9e9dd583c9d1fd82492a680efcd7071c3593b02b628bd947bc19b1302b931aca807
-
Filesize
3KB
MD5f187c4924020065b61ec9ef8eb482415
SHA1280fc99fb90f10a41461a8ee33dbfba5f02d059d
SHA256cfa4f2c6c2a8f86896c5a6f9a16e81932734136c3dfde6b4ed44735e9c8115c2
SHA5121d5a8e80fb6805577258f87c4efd7c26a9ac1c69f7dea1553d6f26bcc462d2d9c01d4b94077f70110a33b39648c9aa3bb685e10534f19ba832d475e9ee6aa743
-
Filesize
15KB
MD53168ed3b48c1dc8d373c2abc036574cf
SHA17ffbcfb6cd9b262a0e9a55853d76055693f60c60
SHA2563e4d78fcc11eecb23af12a4eaa316114bb36d39561f6062a3921c08a43261321
SHA5129465640705c382bb736e468a2ffb303ecfb2637c55ddca759d1fb190279b98103def64a8c599deaa1439e58c41d7b2c2809332c2a5f18945e9ee3d6c046a5197
-
Filesize
9KB
MD5162fc8231b1bd62f1d24024bb70140d5
SHA17fa4601390f1a69b4824ee1334bee772c2941a24
SHA256c68a0fd93e8c64139a42af4fcd4670c6faea3a5d5d1e9dd35b197f7d5268d92b
SHA512a707b5ef0e914ba61e815be5224831441922ed8d933f7a2ffe8aecf41f5a1790a1e45981f19d86aa5eab5ea73d03b0c8e2ab6b9f398ab0154d1c828da6f6beda
-
Filesize
11KB
MD5c360851dfdf51b6ddc9cfcc62c584898
SHA1f8fbe6b98039d01700dc49eb454bb1c1d8cc4aa6
SHA2563456ebc9c6decef8b27b10d97f7f6d30a73b5da0024e1b8a0657e3b9a1cc93d9
SHA512a340a7d98b4b6f925a803805224e733433e76230a36c4ab17e28f9d5951b81280d776153414701b29bb05b496b726932683e35fb603587d7ff5b716a88fece8d
-
Filesize
13KB
MD504b833156f39fcc4cee4ae7a0e7224a1
SHA12ffa9577a21962532c26819f9f1e8cd71ab396bd
SHA256ebafaeb37464ed00e579dab5b573908e026cd0e3444079f398aada13fa9a6f66
SHA5128d3f6a900ebd63a3af74ab41ac54d3041de5fe47331a5e0d442d1707f72a8f557d93d2f527bbb857fb1c67dd8332961fd69acc87de81ba4f2006c37b575f9608
-
Filesize
5KB
MD5031fab3fb14a85334e7e49d62a5179fe
SHA112370185ef938a791609602245372e3e70db31be
SHA256467773ddffdb3f31027595313b70d1ea934c828b124d1063a4aa4dbe90f15961
SHA5127424a52bbb18a006816ee544d47f660e086557d13bb587d765631307da96aba56d8b9cd3d4e7d50c2a791815273910cef95ebe928bc03dd9c540b97ac7a86447
-
Filesize
5KB
MD56fcd6b5ef928a75655d6be51555288c7
SHA1eafdcc178343780b83f1280dad9d517aaedab9e4
SHA2563d45f022996cd6d9ebb659a202fbfd099795f9a39ed4e6bbd62ac6f6ed5f8c7b
SHA512635ba44d8d8ecfbdb83a88688126f68c9c607e452e67d19247dfe7c307c341dad9b1d2dc3eae56311c4b3e9617ab1ee2bd2a908570df632af6de1e1fa08bf905
-
Filesize
13KB
MD5bc3a8865b60ec692293679e3e400fd58
SHA12b43b69e6158f307fb60c47a70a606cd7e295341
SHA256f82bca639841fa7387ae9bbf9eca33295fab20fade57496e458152068c06f8a3
SHA5120d9820416802623e7cd5539d75871447f665481b81758c08f392f412bc0fd2ef12008be0960c108d1c1ce6f26422f1b16161705104d7a582df6a1006b0d1b610
-
Filesize
3KB
MD5ec4b365a67e7d7db46f095f1b3dcb046
SHA1d4506530b132ef4aad51fcbc0315dadc110c9b81
SHA256744275c515354ece1a997dd510f0b3ea607147bbf2b7d73f8fca61839675ba27
SHA5125e5d1e196fc6ac194589bc6c6ab24e259aed8cbd856999390495fd5ec4211f212c6898e1b63538bfbb4401a5b4da08f3a2e09bca1cfb2e9c2cee38e63190b2a2
-
Filesize
12KB
MD5c2d1221cd1c783b5d58b150f2d51aebf
SHA13bc9b6419a5f9dcf9064ae9ef3a76c699e750a60
SHA256c79ff7b9e67aed57f939343a3d5fd4fb01aa7412530693464571148b893b7132
SHA512c4ec596814b408e3c0aaf98864e2769c6175dba020f3014dd79f0190d81812020c932afca449e6b8b35233f36f2ab2efad0dc8d0d68dccdb40f6715fb1d050b4
-
Filesize
1KB
MD50a6b586fabd072bd7382b5e24194eac7
SHA160e3c7215c1a40fbfb3016d52c2de44592f8ca95
SHA2567912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951
SHA512b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4
-
Filesize
844B
MD55feaa6a36fea7dfdb88c18d69ba6d6a9
SHA17afd91a7b046d68b6ee9fd367bcd7a4fec546216
SHA25667a50ffbb8a1d500eaa4d9f0227d6a8595a2750154e6b31662fc4f51286e47fc
SHA5126c8c0456f232a02a49d51b3f1a830a18b9078e621cd0dc3f4f76f79b83035e8affac67bce3af9a37fa9096a34a8499c59cf982b63a4b2400b9190d2db293e682
-
Filesize
74KB
MD55e7e93fb7b9d36665b10be97703dafe5
SHA117b42892768e9742920febf70e9214997e3f04ef
SHA256b8f0f576199e32fd906538537c8da052ee666a91ef971c577a53fd715e544604
SHA5128f2828606ae34a691be77cdc5dc20f3aeb641bb24742fac04860a6f847c42cdc8453b8e5f9722f7b016438849c2b57fc8ea9b41111b69ffed30624e16824a1d6
-
Filesize
94KB
MD5a1157142485b86985c03e26add533201
SHA105320791cdf33ff3a9989396f6b54172b2d7d0ee
SHA25694779d2272a18a0340156225485aab95d0473aef478442dfe392d11b7e6f41db
SHA5123fa2b3c4c57e071f24cdd02fc53dca5206370c8161cd9ba7b95fa8a9bce9e5268f3f7824908f93df7a087afd38425219447339f40908ffc9b1d593d063ae21c1
-
Filesize
89KB
MD58e97ea8a1ed69806232e8743f9a28706
SHA1e911d3802e64f9be0e1ac68865bbcc92624d6a1f
SHA2562893b1b9751f833d4a3ded7c1fba1a96cada2927a2349c5d751365eed647c100
SHA512aa57fe0b822145aa1d8eb72f9735ef5d92036f24c4c80392799d701447d18ea510331f5653b39c43dc923cd0f1a61bf87be0f8a4927f6e3754d19ac76fd443c3
-
Filesize
94KB
MD5cbf6e77d932688970a28328ca5263501
SHA1b1d469e921ba90df15760943f228ebb2cbc55792
SHA2563ffe888bc0bbe9bb81369b49171d532839fbea931d8553371e857df6ef815c13
SHA512eeb2773960f7ecf9e87b5225cc730651388fab7dadda766a38d345f051ce2cab7027ac6c7286092e86f71c67b8c8a8c01c3808f205082280ad051fcba96358c9
-
Filesize
93KB
MD5dcca7196203d338b41ead5e1418c6a92
SHA144267accc8577f093abc77dff8d5f7ff25c343b2
SHA256c2a81077da2201d180bd5496129ea6bcfc5930d8a6d256babdb9a552b1a597d2
SHA51213e934786445067be1c9eca38587dc55e294b2df6e1a16d13c584dc3c031126314047c007ecbc4548aa9bbe1f1021f19cd6b639fc66f43ef9465f4c4c10df049
-
Filesize
79KB
MD50fcc2f2bf7c18392514413a3c2a5ec5a
SHA1bf7f494336589b8763b0936f0558749dbb407c4b
SHA25611c111b3f24ba7d197007fb572b9f77e7d6f58c290de239a08f287c2aeb3b89d
SHA512c704d1264fd2a106487baf87f6db054862bb31576b0716fe1570eca46ba90519c23c3246852c6b33ec1cf1fc6ff1529b163ff38ec9d32c5eb588585545fcb596
-
Filesize
78KB
MD5d276d0c01bf44cb781ff5d293676674b
SHA1f96e3a9bbac867b4dd9b24312845a852a5b44ed4
SHA256d6f45cb0308e3790b0d819cae9d87e61d79468414ce7f78bd41e7289fc832945
SHA51246100a058157b8435633bf0fc6a2c92086d74c60e480e0faa016e7aaba848e16c2431e48b83e738c28e3a393592ff6cc27b7a2c2a55ff6d94494cf83686175c7
-
Filesize
91KB
MD52e57ae4186f17be4148077ffe8212a27
SHA1edad955ab3deef258c354d134b5a3443369f85f8
SHA256ac9ef02d54eb87a5bc2bc8c77a6497853072ff37e7e82495ef8d79f6a5af07e3
SHA512b2f239253866aab26cb1ab8a90f89ff90553cdb5897bba2ebf0e08eefb5a975c68bf7904f15b09e33777718478e3cc1a074dff8d8ddacc8a56b675adf125443b
-
Filesize
74KB
MD54b8d230ccfadf8a2d3ea4b1512238292
SHA153793dde6106277c33367de5cf361f79a52692c2
SHA2568fec53f664217f624ec8229425abde74225eccf6b55e41d4c12c9d9789f4159c
SHA51210993d5ca2b40060ba5925e8d7c008d028c06d909cb3b3a8f8da6a289e2cd45b95227114115e7ab6bed7fc91601d94c5b3c1a9d44e08850dc3048e4e9d51423d
-
Filesize
94KB
MD555a9b25fa0d768fb902842439d041b1f
SHA1da103afd92af9b6f89b604191db2805a015a8c38
SHA2568f826dba565fc464395ed24219da946f55692705de9f61f501dcfebf338970a3
SHA512dc1b1dc345cb0e2e7e055abc07fc1374abbf773afae64fc27db292c5b97a166bfe4eaa69188d6831a91bfa2913c2238277a860a098ee9606b4112cba55067f7d
-
Filesize
227KB
MD56e17361f8e53b47656bcf0ed90ade095
SHA1bce290a700e31579356f7122fb38ce3be452628a
SHA2568811e5fe167223d906701bc8deb789de0a731e888e285834bcae164b03d43c96
SHA512a566fc8bbb4d354db32f13de2fde73a1210c61b1c30a1be22b16c7e98b8d51c673259c57a924b04035cb9f0bf4a087a3e8b32221e7ff87032cddc840ffe3ed2f
-
Filesize
5KB
MD506fba95313f26e300917c6cea4480890
SHA131beee44776f114078fc403e405eaa5936c4bc3b
SHA256594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1
SHA5127dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd