Analysis
-
max time kernel
263s -
max time network
304s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-07-2024 15:24
Static task
static1
General
-
Target
sheet rat v2.6.7z
-
Size
29.8MB
-
MD5
7711fffefdcb2bf2dcbbe6f9616d2066
-
SHA1
eaaf96b6f574714d3954bf1078944dc8069b8fd4
-
SHA256
8cb34690ae0cb7b8124f8feb1e3852def62e49071a775a457015c4e352a3ad93
-
SHA512
90d2a968642620303e974c361d939f6eee6dfc1384870a3fd44a1cb164c5ed90a8bd2a7fc9c80452057343131091a44e0a645fea6e774fef00804d1b44844f3b
-
SSDEEP
786432:bIVkxDTlPquNUuQuDFEh86AZB/uDC58+Y41+3Fqky:bIVwNPz+ukJAZSC5n1+a
Malware Config
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000100000002aa40-147.dat family_asyncrat -
Executes dropped EXE 2 IoCs
pid Process 4196 Server.exe 2580 Server.exe -
Loads dropped DLL 30 IoCs
pid Process 4196 Server.exe 4196 Server.exe 4196 Server.exe 4196 Server.exe 4196 Server.exe 4196 Server.exe 4196 Server.exe 4196 Server.exe 4196 Server.exe 4196 Server.exe 4196 Server.exe 4196 Server.exe 4196 Server.exe 2580 Server.exe 2580 Server.exe 2580 Server.exe 2580 Server.exe 2580 Server.exe 2580 Server.exe 2580 Server.exe 2580 Server.exe 2580 Server.exe 2580 Server.exe 2580 Server.exe 2580 Server.exe 4196 Server.exe 4196 Server.exe 2580 Server.exe 2580 Server.exe 2580 Server.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 mmc.exe Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 mmc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count = "0" mmc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance = "0" mmc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count mmc.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\devmgmt.msc mmc.exe -
Drops file in Windows directory 62 IoCs
description ioc Process File created C:\Windows\INF\oposdrv.PNF mmc.exe File created C:\Windows\INF\c_fscopyprotection.PNF mmc.exe File created C:\Windows\INF\c_fsinfrastructure.PNF mmc.exe File created C:\Windows\INF\c_magneticstripereader.PNF mmc.exe File created C:\Windows\INF\c_proximity.PNF mmc.exe File created C:\Windows\INF\miradisp.PNF mmc.exe File created C:\Windows\INF\dc1-controller.PNF mmc.exe File created C:\Windows\INF\c_fsactivitymonitor.PNF mmc.exe File created C:\Windows\INF\wsdprint.PNF mmc.exe File created C:\Windows\INF\c_holographic.PNF mmc.exe File created C:\Windows\INF\remoteposdrv.PNF mmc.exe File created C:\Windows\INF\c_scmvolume.PNF mmc.exe File created C:\Windows\INF\c_camera.PNF mmc.exe File created C:\Windows\INF\c_ucm.PNF mmc.exe File created C:\Windows\INF\c_firmware.PNF mmc.exe File created C:\Windows\INF\c_fsopenfilebackup.PNF mmc.exe File created C:\Windows\INF\c_fscontentscreener.PNF mmc.exe File created C:\Windows\INF\c_cashdrawer.PNF mmc.exe File created C:\Windows\INF\c_barcodescanner.PNF mmc.exe File created C:\Windows\INF\c_fscfsmetadataserver.PNF mmc.exe File created C:\Windows\INF\c_fsundelete.PNF mmc.exe File created C:\Windows\INF\c_primitive.PNF mmc.exe File created C:\Windows\INF\c_smrdisk.PNF mmc.exe File created C:\Windows\INF\c_swcomponent.PNF mmc.exe File created C:\Windows\INF\c_fsphysicalquotamgmt.PNF mmc.exe File created C:\Windows\INF\c_receiptprinter.PNF mmc.exe File created C:\Windows\INF\c_apo.PNF mmc.exe File created C:\Windows\INF\c_fscontinuousbackup.PNF mmc.exe File created C:\Windows\INF\c_fshsm.PNF mmc.exe File created C:\Windows\INF\xusb22.PNF mmc.exe File created C:\Windows\INF\c_linedisplay.PNF mmc.exe File created C:\Windows\INF\rawsilo.PNF mmc.exe File created C:\Windows\INF\c_fssecurityenhancer.PNF mmc.exe File created C:\Windows\INF\c_computeaccelerator.PNF mmc.exe File created C:\Windows\INF\digitalmediadevice.PNF mmc.exe File created C:\Windows\INF\c_scmdisk.PNF mmc.exe File created C:\Windows\INF\c_fsantivirus.PNF mmc.exe File created C:\Windows\INF\c_fsvirtualization.PNF mmc.exe File opened for modification C:\Windows\INF\setupapi.dev.log mmc.exe File created C:\Windows\INF\c_sslaccel.PNF mmc.exe File created C:\Windows\INF\c_processor.PNF mmc.exe File created C:\Windows\INF\c_volume.PNF mmc.exe File created C:\Windows\INF\c_fssystemrecovery.PNF mmc.exe File created C:\Windows\INF\c_mcx.PNF mmc.exe File created C:\Windows\INF\c_fssystem.PNF mmc.exe File created C:\Windows\INF\c_fsencryption.PNF mmc.exe File created C:\Windows\INF\c_fsreplication.PNF mmc.exe File created C:\Windows\INF\c_diskdrive.PNF mmc.exe File created C:\Windows\INF\c_fsquotamgmt.PNF mmc.exe File created C:\Windows\INF\PerceptionSimulationSixDof.PNF mmc.exe File created C:\Windows\INF\c_nvmedisk.PNF mmc.exe File created C:\Windows\INF\c_netdriver.PNF mmc.exe File created C:\Windows\INF\rdcameradriver.PNF mmc.exe File created C:\Windows\INF\c_extension.PNF mmc.exe File created C:\Windows\INF\c_display.PNF mmc.exe File created C:\Windows\INF\c_media.PNF mmc.exe File created C:\Windows\INF\c_monitor.PNF mmc.exe File created C:\Windows\INF\ts_generic.PNF mmc.exe File created C:\Windows\INF\c_smrvolume.PNF mmc.exe File created C:\Windows\INF\c_fscompression.PNF mmc.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 412 1136 WerFault.exe 99 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 mmc.exe Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ClassGUID mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ mmc.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064 mmc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0006 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Security mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName mmc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2} mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr mmc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80497100-8c73-48b9-aad9-ce387e19c56e} mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80497100-8c73-48b9-aad9-ce387e19c56e}\0006 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009 mmc.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065 mmc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002 mmc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000E mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 mmc.exe Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ContainerID mmc.exe Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\InstallFlags mmc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912} mmc.exe Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 mmc.exe Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities mmc.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912} mmc.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} mmc.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0007 mmc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2} mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} mmc.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties mmc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0018 mmc.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0006 mmc.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0018 mmc.exe Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004\ mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009\ mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ClassGUID mmc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064 mmc.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80497100-8c73-48b9-aad9-ce387e19c56e}\0006 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0018 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties mmc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003 mmc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport mmc.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0007 mmc.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A mmc.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 mmc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009 mmc.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 mmc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 mmc.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c00310000000000e958f88a110050524f4752417e310000740009000400efbec5525961e958f98a2e0000003f0000000000010000000000000000004a00000000009a920000500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Applications\7zFM.exe\shell OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Applications\7zFM.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\"" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Applications OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Applications\7zFM.exe\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Applications\7zFM.exe OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings control.exe Set value (data) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000e958bc881000372d5a6970003c0009000400efbee958bc88e958bc882e0000004df60000000019000000000000000000000000000000536f420037002d005a0069007000000014000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Applications\7zFM.exe\shell\open\command OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings cmd.exe Key created \Registry\User\S-1-5-21-514081398-208714212-3319599467-1000_Classes\NotificationData OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" OpenWith.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4788 vlc.exe 3652 vlc.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 4972 OpenWith.exe 2324 7zFM.exe 4288 taskmgr.exe 2940 mmc.exe 4788 vlc.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeRestorePrivilege 2324 7zFM.exe Token: 35 2324 7zFM.exe Token: SeSecurityPrivilege 2324 7zFM.exe Token: SeDebugPrivilege 4196 Server.exe Token: SeDebugPrivilege 4288 taskmgr.exe Token: SeSystemProfilePrivilege 4288 taskmgr.exe Token: SeCreateGlobalPrivilege 4288 taskmgr.exe Token: 33 4288 taskmgr.exe Token: SeIncBasePriorityPrivilege 4288 taskmgr.exe Token: SeShutdownPrivilege 2904 control.exe Token: SeCreatePagefilePrivilege 2904 control.exe Token: 33 2940 mmc.exe Token: SeIncBasePriorityPrivilege 2940 mmc.exe Token: 33 2940 mmc.exe Token: SeIncBasePriorityPrivilege 2940 mmc.exe Token: SeLoadDriverPrivilege 2940 mmc.exe Token: SeLoadDriverPrivilege 2940 mmc.exe Token: SeDebugPrivilege 228 taskmgr.exe Token: SeSystemProfilePrivilege 228 taskmgr.exe Token: SeCreateGlobalPrivilege 228 taskmgr.exe Token: 33 228 taskmgr.exe Token: SeIncBasePriorityPrivilege 228 taskmgr.exe Token: SeShutdownPrivilege 1136 wmplayer.exe Token: SeCreatePagefilePrivilege 1136 wmplayer.exe Token: SeShutdownPrivilege 3560 unregmp2.exe Token: SeCreatePagefilePrivilege 3560 unregmp2.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2324 7zFM.exe 2324 7zFM.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 4288 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe 228 taskmgr.exe -
Suspicious use of SetWindowsHookEx 38 IoCs
pid Process 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 4972 OpenWith.exe 2940 mmc.exe 2940 mmc.exe 2940 mmc.exe 4788 vlc.exe 3652 vlc.exe 2364 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4972 wrote to memory of 2324 4972 OpenWith.exe 85 PID 4972 wrote to memory of 2324 4972 OpenWith.exe 85 PID 2904 wrote to memory of 2940 2904 control.exe 95 PID 2904 wrote to memory of 2940 2904 control.exe 95 PID 1136 wrote to memory of 4220 1136 wmplayer.exe 100 PID 1136 wrote to memory of 4220 1136 wmplayer.exe 100 PID 1136 wrote to memory of 4220 1136 wmplayer.exe 100 PID 4220 wrote to memory of 3560 4220 unregmp2.exe 101 PID 4220 wrote to memory of 3560 4220 unregmp2.exe 101
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6.7z"1⤵
- Modifies registry class
PID:4732
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\sheet rat v2.6.7z"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2324
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1736
-
C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe"C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4196
-
C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe"C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2580
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4288
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" /name Microsoft.DeviceManager1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc2⤵
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2940
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:1312
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:228
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\BlockNew.mpeg2"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4788
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SwitchUnpublish.M2TS"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3652
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3560
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 11842⤵
- Program crash
PID:412
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:756
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1136 -ip 11361⤵PID:1604
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD59e466b4837d8431be725d6b9c1b4d9ef
SHA13f247b7c89985a41d839cad351cd0fc182fcb284
SHA2562f9a5eeb5ac8cec52a3e73621e4d392f501f5d657dfec3215ccd40eec317208d
SHA51201de0fda555d63b5c38339b0f6d38c28de2a882643439679e63cf5d75f13516b57dc90e8dfb8c638bda328fc12342e58d1e501acec8f85b92dbd5589dac06418
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
960B
MD516846df493521e84fe47cd6b6451ec8f
SHA16d99eb017c5aec08d3a7e908bbd4a051ce250c02
SHA25669f19f2ab2f3625faca623477864766ab1ef3a21712bc892d7b2b0886585b3f9
SHA512aefa5121601b8273cff6b79b7f76417c71e29e835b66faf3e1a67d0d38fb9ebe90320b75493fd5c4a2d9ea3e3c485d0a84bcdbfb78c26a8ecee3175cd8bd93cd
-
Filesize
1.3MB
MD514393eb908e072fa3164597414bb0a75
SHA15e04e084ec44a0b29196d0c21213201240f11ba0
SHA25659b9d95ae42e35525fc63f93168fe304409463ee070a3cf21a427a2833564b80
SHA512f5fc3d9e98cca1fbbbe026707086a71f801016348d2355541d630879ad51a850f49eb4a5f7a94e12a844d7a7108d69fa6d762ee19f4805d6aafef16259b4330b
-
Filesize
32.2MB
MD5c1908aa6edfec3602b63e89905c888c4
SHA1aed61a7a8eada8ef92d91830802fb4ed5bd5e764
SHA256380d75309abcf9bd7e980b61c41f9262f56c242b4403e555dc2ad18cd310a036
SHA51299e1971093abca7124d214b6e6445ff5b6dcc6c7f2834fe4c5a4f99e0af0e71403b16c86e3c94b135f628e5632538b38c991a4af17601a9aee942348448a6acd
-
C:\Users\Admin\AppData\Local\GMap.NET\UrlCache\7A-37-FE-AF-96-76-33-1F-2C-6E-71-1B-6B-95-19-3C-D9-63-B4-06.txt
Filesize201KB
MD5201e5e4bed204dc859f2a62218fb9838
SHA19d7debf6378c97780cc116391323f15d24a963a8
SHA256827d115a780aa969d2e479665f9e2dbfb9eed5bb912966b80158960d07643506
SHA512852d09ed92c3569e61d2aea63214ef2293c29c3c1c9c0c5b5a39741076e1ce7163d5b441a8c549bac8a165788ece4cb82c97633ebd632babdb48b0a49a31ebb5
-
Filesize
1KB
MD520fc98d09b44dda8c3ebe465c48bbec4
SHA1b6b96e12617ee57eec9d1f31a37e7ef727505334
SHA2567347aca40c7a7e31fc51aa08fbe46a06b13b99c0f0abd58f47dd89fb8093a2ae
SHA51231d02deec3aba8620e92bfe1edd5ecf159cce7c2f73fd827417b50b4f3a3acb27c33868227925d67a9ff4862e46df8997d7c97cf72f2fa936da7b9944e5566a7
-
Filesize
512KB
MD5f1d3d081fca232ae6d28beebcdae13a2
SHA11d6f50f74b2f371e501b699a57f0bb7921966e64
SHA256fb060e247954bdfc1673c13bc682185074948d08120e9d9fd2cbf916134459ea
SHA512661770d5ec4eb36da8065f4ddbfb8e01fad3c1fc9c79b14d41a195da75fd181795ab9edf3f47c468ca9d5e64526ce7519723b836950576ab24438a369823ddd3
-
Filesize
1024KB
MD564a53e3501290ca3fcd2e4b2822f27cf
SHA19a85fb6f7ed810859904c561b1cb8ad88b9951d4
SHA2567b935e1f0f827da4c2c834b8943cdcb0970c9cb032a94ada5ffb7ca963bc300d
SHA5127d46cd65c36c427a5071b160be5bfc5a6b26746bf36b52ab596acc3ff0eb6a447385574d2830bffb4f45dfee61080c265a79c4f7cc46964fd12ee5dbfd41411d
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
14KB
MD5bb47820963d9344a27aedadd2e1b5957
SHA109e50ad6cdd585457f1f47e1e169e9b6f8442fc8
SHA25682205ee0b94fd9ec59b4b19a45aeda7f4c99fd05cdb0d7585671595f1dfb1733
SHA5126c107dea3cd77facf45f20c2f0f4276216e3fad47bfa6f5d8b154715c177231d2b1ee5f0ed02f8dbac22193163ba18b9107c62ae657a1a8791f7714061bd7128
-
Filesize
14KB
MD5fba63e9da1cd9a6db13fd2cb73ad9f18
SHA1e478bcc219769907c935245dd866fcd851e7e90a
SHA256703dc90657db5304f75383115da1225069b588469ba2e88a6e178771e0dbffac
SHA51259190efc358b9f6c04eafa35480ea4bee06585344f776f2d278d6843ec0b4565aadc638ba5eedf2a5deab99e0fe6f9dfbd36f78c3a3e53526e7d202e4a5e5e27
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5762f78ddea46ea31edc6c6e83b0a9352
SHA1ffc01ff355c2ff5cf15afa47ca98868270a85974
SHA256060d2524088923576de254c1d481a3717cd93932f90362e5dccfc7e3ab22368e
SHA51237995afbba67a613b6d617a5d6387a906e4f1d61955e17c047d3172f155cde09157ced2e9f34713a5bc82de19f0aebd29ba5632fc49df0d8e2fe2404ed789256
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD52aaa4134481f6d4ef6b44658d489618a
SHA1a30f020b4ea91f8bb2875813b2e8036a679e74c1
SHA25656ffdcba29a25e206349d6f8805f3c8559d7b2eab82475e6b8fc6316c02aa964
SHA512f4ffae089eaacfc819103dca1c330995b90ab797d3b2e9403da909691cda4cdcea2ba7b97046cd14c84c44bddc6ee565303b9dd4273dd1444224a343d4591b45
-
C:\Users\Admin\AppData\Local\Server\Server.exe_Url_i5cm5l3jhkqbqgcva4ebc4kkrfcdkh51\1.0.0.0\ijr31dqx.newcfg
Filesize561B
MD52e8ab7cdc2081c09a98f6c5593909409
SHA1282769c943f8ab0429315869466d042a99de95f4
SHA25617eee8708a1bbc35422e6ad9b6eff3bec4f8a8b8a87cce8e6cc0da2d94c9b3ae
SHA512b815e0deaea5348d5ec68cdba3e4b5018e6224299f170859181f90961831b7d14deda144b32d64b11f8da7f4cbdb0b86a8d253b0ee179df68baac274a363ef2a
-
C:\Users\Admin\AppData\Local\Server\Server.exe_Url_i5cm5l3jhkqbqgcva4ebc4kkrfcdkh51\1.0.0.0\tp1icpzo.newcfg
Filesize434B
MD5cfcf8e91857f364e002065c52ff8f91c
SHA18407ecb3c33a1f3fcf18a723e6884acf7e5a0f4a
SHA256572dda8c7f211dc6a4efc7aecb4a54cb4e0ced1e4c9a4b9f96bb329c983c64e6
SHA512364fecac3a051441b4fefcebb2cc9e38632f99dd04593cd5d9b148986afb09b195e88cdbfa2e778b8934564b76d04fe053f919f0a60769b023f2f753ede06d1e
-
C:\Users\Admin\AppData\Local\Server\Server.exe_Url_i5cm5l3jhkqbqgcva4ebc4kkrfcdkh51\1.0.0.0\user.config
Filesize311B
MD5a35bc67d130a4fb76c2c2831cbdddd55
SHA166502423bba03870522e50608212b6ee27ebf4c5
SHA256e94a97e512fbc8ed9f5691d921fdeddbff4cc16b024c5335adf66bff3a7a8192
SHA5124401b234d7914afa860e356be1667cc5f44402255f7cc6cc3d8df80883167f6b55463e62156df57be697ee501897fac61a71f97911c6fdb6630272341ac8a07e
-
C:\Users\Admin\AppData\Local\Server\Server.exe_Url_i5cm5l3jhkqbqgcva4ebc4kkrfcdkh51\1.0.0.0\xnlp4dtr.newcfg
Filesize687B
MD5b18785caae8834f89e34cde89b93cafc
SHA1cee194149b484295ddba88111a251986bdc0c7af
SHA256105971bbe15f24f50dad97d466b55222e52dfdb4a71b1b3a6452cfba28a10811
SHA512fb108e2997a0ea7bce21113118997f358d73a43a40e2b4b9962738cd88dc6d9dfc17e17e63c8ba8c5a5504e5775fbe9e8084ee8e6086cf0eab709335ed8b282c
-
Filesize
1KB
MD5edf8b45252c7a593239e8b6136e5a2c1
SHA16bef62d9ca35d64d93619c1b24eab3b6b4ef8bf6
SHA256d7a8062af05dae66ca7b6f032a92525a007e514edd0dc575f8d34d0bddd6962a
SHA5123cac9a71174fb7266f1c07b43e2c59a5145aa63d08c3519ef6d9289569a6419b91deae766dcc4ea2c8565600bbffeb6e73ac087a767d010db57924672d3beafa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize1KB
MD5ceefba2f1dd65d57766fbe65e1a3f48f
SHA10b1abf957e5a117d39b4f47f25095d949150b8c5
SHA2565f5579f90485af6e4554828fc57643f0c123ddecf4a25d5400ec426cf71bfdb3
SHA512c7618aee76fcadbd280a06ad4370839aed9151fab2cdda0a7346413d28c99ed0e20152780578a3fa157b9950d978983aede6cea6e6c80564faefbd8b55efed18
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize3KB
MD508fdf67ec3174478f7016a98fc39eec2
SHA13342bceb50a27c55d3aae7c9217374eee1367c8c
SHA25637e00e88984f8f00b6cb056c50b41ab6a11af913393bbe736d43267d83af1c7f
SHA5120f3fd3140079095810971ed54910b3286ad40402dfabff24e6d276f91cdbb894191d459ec87ab924ba25cebab95e21babbc5b53e9db8d89c54c86f0ab0f7c7d8
-
Filesize
304B
MD5781602441469750c3219c8c38b515ed4
SHA1e885acd1cbd0b897ebcedbb145bef1c330f80595
SHA25681970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d
SHA5122b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461
-
Filesize
526B
MD59fa85c5142916a611d31618f10f4cd93
SHA1cc2149437156b4a46790eb9babc66b076ba44982
SHA256bb38570e21d7bfd76467c66a02ab6957f00e4da62293f7cc94338dfd658e85e1
SHA512688006f520bf623fcf549c4f9284337dcdf9880c6417821266a8c2f288cb4a4102f8d4fc418a45e167cf89194a70bfaa24f6858c364b5eccc405467cdc261e75
-
Filesize
94KB
MD57b37c4f352a44c8246bf685258f75045
SHA1817dacb245334f10de0297e69c98b4c9470f083e
SHA256ec45f6e952b43eddc214dba703cf7f31398f3c9f535aad37f42237c56b9b778e
SHA5121e8d675b3c6c9ba257b616da268cac7f1c7a9db12ffb831ed5f8d43c0887d711c197ebc9daf735e3da9a0355bf21c2b29a2fb38a46482a2c5c8cd5628fea4c02
-
Filesize
1KB
MD53071a60e3daac1fe7b97d115628c98d9
SHA1249d49479a8a6544f025c6e781268847f42a4469
SHA2562a725ea0ebc6ce93f78c3f785781558723f663fb42f171b18a8f9e51c5aad725
SHA512e9745de08c87d2f6746d9fb5f988eb109e9a25b7f61f9ad75aefd90559b1a77a054ccdc942c384b0d1933310345fd68777adf2dc8485bb9a9c83cfdfd7e9e1c8
-
Filesize
2.9MB
MD5819352ea9e832d24fc4cebb2757a462b
SHA1aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11
SHA25658c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86
SHA5126a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a
-
Filesize
147KB
MD532a8742009ffdfd68b46fe8fd4794386
SHA1de18190d77ae094b03d357abfa4a465058cd54e3
SHA256741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365
SHA51222418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
656KB
MD565ef4b23060128743cef937a43b82aa3
SHA1cc72536b84384ec8479b9734b947dce885ef5d31
SHA256c843869aaca5135c2d47296985f35c71ca8af4431288d04d481c4e46cc93ee26
SHA512d06690f9aac0c6500aed387f692b3305dfc0708b08fc2f27eaa44b108908ccd8267b07f8fb8608eef5c803039caeabf8f88a18b7e5b1d850f32bbb72bcd3b0b7
-
Filesize
345KB
MD534ea7f7d66563f724318e322ff08f4db
SHA1d0aa8038a92eb43def2fffbbf4114b02636117c5
SHA256c2c12d31b4844e29de31594fc9632a372a553631de0a0a04c8af91668e37cf49
SHA512dceb1f9435b9479f6aea9b0644ba8c46338a7f458c313822a9d9b3266d79af395b9b2797ed3217c7048db8b22955ec6fe8b0b1778077fa1de587123ad9e6b148
-
Filesize
695KB
MD5195ffb7167db3219b217c4fd439eedd6
SHA11e76e6099570ede620b76ed47cf8d03a936d49f8
SHA256e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
SHA51256eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
Filesize
1.3MB
MD5dd6667db55acaefa2d7e99dcf5d97a26
SHA1c1b281ef573df4da584294c61b5322edfed589ad
SHA256ce8fd5ec0b2ee4e5d87d35622eeaa022ee971801c97bcb3726ca6ebe4b576238
SHA512916c8b63400c0a8e495fc59d8e348499a6f04421e79599803c7ac4cd828c82f389bfd733471de27cc1643c03723429f8544446d9adc69082e6a5032139a1f1f1
-
Filesize
7KB
MD52083876ec03ad06e5c16490fcb4ab8b6
SHA1b8f50f08abd53225c046912471dfd271a98cf15a
SHA25628026de2c65972cb8fac1ff2865c33e24d1086f7242b2fe951cef172909ad128
SHA512b16f1fbe8e10b66079d83a46818423fb2e2e8619cbdc1427ce0cd27f06092af52bcc003755e939320cf84f8cc5a26c92e43041013fe3ef60c7d73d8624ee6096
-
Filesize
33B
MD5fdf6d963491b41d9ba798f60fe27ef8c
SHA14908bfc78d191f60ab583fe093bc579fd5ff06a3
SHA256bfe1437218dd94ccd078a8683f59b65e28d8d63defa7f419b2cef81bc031a7bf
SHA51296e5981739a3328387aaf80b6b6a071dc7a2135d5bdaa99b638527b9cd82eb514d21d27a26445a01082a4ba8811ac130a671690e51cf780fd66acdd3a12a3c25
-
Filesize
2.3MB
MD56d6e172e7965d1250a4a6f8a0513aa9f
SHA1b0fd4f64e837f48682874251c93258ee2cbcad2b
SHA256d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0
SHA51235daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155