Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 11:06
Static task
static1
Behavioral task
behavioral1
Sample
9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe
Resource
win10v2004-20241007-en
General
-
Target
9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe
-
Size
1.5MB
-
MD5
885ce6288fc5b8553f8c58693423f850
-
SHA1
a46c0c6068b2b8bf94a71fce7c21a46a01c5c7c9
-
SHA256
9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396b
-
SHA512
26e76bb0f8859d392ff4f1d8dce373f110c274293ca3dfb8e4bd19ff05f9d2b327640f0696fd1cea270f88d1840b0746f411eecd82bed884da2642d3e0489034
-
SSDEEP
24576:XAvoYumb9Vt9dzv5/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:qD5LNiXicJFFRGNzj3
Malware Config
Extracted
redline
eewx
185.81.68.147:1912
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023c8a-107.dat family_redline behavioral2/memory/1868-122-0x0000000000B80000-0x0000000000BD2000-memory.dmp family_redline -
Redline family
-
Downloads MZ/PE file
-
Executes dropped EXE 25 IoCs
pid Process 3688 alg.exe 2176 DiagnosticsHub.StandardCollector.Service.exe 2652 fxssvc.exe 3104 elevation_service.exe 1868 B602.tmp.ssg.exe 3744 elevation_service.exe 2248 maintenanceservice.exe 744 msdtc.exe 3116 OSE.EXE 4908 PerceptionSimulationService.exe 1456 perfhost.exe 1696 locator.exe 2608 SensorDataService.exe 2480 snmptrap.exe 3396 spectrum.exe 3384 ssh-agent.exe 1556 TieringEngineService.exe 1216 AgentService.exe 4444 vds.exe 4404 vssvc.exe 3988 wbengine.exe 2104 WmiApSrv.exe 3236 SearchIndexer.exe 4500 C814.tmp.zx.exe 1856 C814.tmp.zx.exe -
Loads dropped DLL 5 IoCs
pid Process 1856 C814.tmp.zx.exe 1856 C814.tmp.zx.exe 1856 C814.tmp.zx.exe 1856 C814.tmp.zx.exe 1856 C814.tmp.zx.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\B44BB2ABB6073674480464\\B44BB2ABB6073674480464.exe" 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\B44BB2ABB6073674480464\\B44BB2ABB6073674480464.exe" audiodg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\B44BB2ABB6073674480464\\B44BB2ABB6073674480464.exe" msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\TieringEngineService.exe svchost.exe File opened for modification C:\Windows\system32\vssvc.exe svchost.exe File opened for modification C:\Windows\system32\fxssvc.exe svchost.exe File opened for modification C:\Windows\System32\SensorDataService.exe audiodg.exe File opened for modification C:\Windows\system32\dllhost.exe svchost.exe File opened for modification C:\Windows\System32\msdtc.exe svchost.exe File opened for modification C:\Windows\system32\msiexec.exe svchost.exe File opened for modification C:\Windows\system32\SgrmBroker.exe svchost.exe File opened for modification C:\Windows\system32\spectrum.exe svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\23393574983eaefb.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\vds.exe svchost.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe svchost.exe File opened for modification C:\Windows\system32\SearchIndexer.exe svchost.exe File opened for modification C:\Windows\system32\AppVClient.exe audiodg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe audiodg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe svchost.exe File opened for modification C:\Windows\system32\msiexec.exe audiodg.exe File opened for modification C:\Windows\system32\AppVClient.exe svchost.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe svchost.exe File opened for modification C:\Windows\System32\SensorDataService.exe svchost.exe File opened for modification C:\Windows\system32\AgentService.exe audiodg.exe File opened for modification C:\Windows\System32\alg.exe 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe File opened for modification C:\Windows\SysWow64\perfhost.exe svchost.exe File opened for modification C:\Windows\system32\locator.exe svchost.exe File opened for modification C:\Windows\System32\snmptrap.exe svchost.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe svchost.exe File opened for modification C:\Windows\system32\AgentService.exe svchost.exe File opened for modification C:\Windows\system32\wbengine.exe svchost.exe File opened for modification C:\Windows\system32\dllhost.exe audiodg.exe File opened for modification C:\Windows\system32\fxssvc.exe audiodg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2456 set thread context of 2156 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 83 PID 2456 set thread context of 1732 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 84 PID 2456 set thread context of 1408 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 85 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe audiodg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe audiodg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe audiodg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe audiodg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe audiodg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe audiodg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85250\javaws.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe audiodg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe audiodg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe audiodg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe audiodg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe audiodg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe svchost.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe svchost.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85250\java.exe audiodg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe svchost.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe svchost.exe File opened for modification C:\Program Files\dotnet\dotnet.exe audiodg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe audiodg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe audiodg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe audiodg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe audiodg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe svchost.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe audiodg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe audiodg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe audiodg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe audiodg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe audiodg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe audiodg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe audiodg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe svchost.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85250\javaw.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE audiodg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe audiodg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe svchost.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe svchost.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe audiodg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe audiodg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe svchost.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe audiodg.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023c9a-360.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B602.tmp.ssg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2c6dc8daa4fdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088d72d8eaa4fdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019ec218eaa4fdb01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e33ac8eaa4fdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085742b8eaa4fdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a01f78daa4fdb01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a01f78daa4fdb01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f8b008eaa4fdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089f8b08eaa4fdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4ff158eaa4fdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2156 svchost.exe 2156 svchost.exe 3420 Explorer.EXE 3420 Explorer.EXE 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1732 msiexec.exe 1732 msiexec.exe 1732 msiexec.exe 1732 msiexec.exe 1732 msiexec.exe 1732 msiexec.exe 1732 msiexec.exe 1732 msiexec.exe 1732 msiexec.exe 1732 msiexec.exe 1732 msiexec.exe 1732 msiexec.exe 1732 msiexec.exe 1732 msiexec.exe 1732 msiexec.exe 1732 msiexec.exe 1732 msiexec.exe 1732 msiexec.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1408 audiodg.exe 1732 msiexec.exe 1732 msiexec.exe 1732 msiexec.exe 1732 msiexec.exe 1732 msiexec.exe 1732 msiexec.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe Token: SeSecurityPrivilege 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe Token: SeTakeOwnershipPrivilege 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe Token: SeLoadDriverPrivilege 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe Token: SeSystemProfilePrivilege 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe Token: SeSystemtimePrivilege 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe Token: SeProfSingleProcessPrivilege 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe Token: SeIncBasePriorityPrivilege 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe Token: SeCreatePagefilePrivilege 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe Token: SeBackupPrivilege 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe Token: SeRestorePrivilege 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe Token: SeShutdownPrivilege 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe Token: SeDebugPrivilege 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe Token: SeSystemEnvironmentPrivilege 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe Token: SeRemoteShutdownPrivilege 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe Token: SeUndockPrivilege 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe Token: SeManageVolumePrivilege 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe Token: 33 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe Token: 34 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe Token: 35 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe Token: 36 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe Token: SeIncreaseQuotaPrivilege 2156 svchost.exe Token: SeSecurityPrivilege 2156 svchost.exe Token: SeTakeOwnershipPrivilege 2156 svchost.exe Token: SeLoadDriverPrivilege 2156 svchost.exe Token: SeSystemProfilePrivilege 2156 svchost.exe Token: SeSystemtimePrivilege 2156 svchost.exe Token: SeProfSingleProcessPrivilege 2156 svchost.exe Token: SeIncBasePriorityPrivilege 2156 svchost.exe Token: SeCreatePagefilePrivilege 2156 svchost.exe Token: SeBackupPrivilege 2156 svchost.exe Token: SeRestorePrivilege 2156 svchost.exe Token: SeShutdownPrivilege 2156 svchost.exe Token: SeDebugPrivilege 2156 svchost.exe Token: SeSystemEnvironmentPrivilege 2156 svchost.exe Token: SeRemoteShutdownPrivilege 2156 svchost.exe Token: SeUndockPrivilege 2156 svchost.exe Token: SeManageVolumePrivilege 2156 svchost.exe Token: 33 2156 svchost.exe Token: 34 2156 svchost.exe Token: 35 2156 svchost.exe Token: 36 2156 svchost.exe Token: SeIncreaseQuotaPrivilege 1408 audiodg.exe Token: SeSecurityPrivilege 1408 audiodg.exe Token: SeTakeOwnershipPrivilege 1408 audiodg.exe Token: SeLoadDriverPrivilege 1408 audiodg.exe Token: SeSystemProfilePrivilege 1408 audiodg.exe Token: SeSystemtimePrivilege 1408 audiodg.exe Token: SeProfSingleProcessPrivilege 1408 audiodg.exe Token: SeIncBasePriorityPrivilege 1408 audiodg.exe Token: SeCreatePagefilePrivilege 1408 audiodg.exe Token: SeBackupPrivilege 1408 audiodg.exe Token: SeRestorePrivilege 1408 audiodg.exe Token: SeShutdownPrivilege 1408 audiodg.exe Token: SeDebugPrivilege 1408 audiodg.exe Token: SeSystemEnvironmentPrivilege 1408 audiodg.exe Token: SeRemoteShutdownPrivilege 1408 audiodg.exe Token: SeUndockPrivilege 1408 audiodg.exe Token: SeManageVolumePrivilege 1408 audiodg.exe Token: 33 1408 audiodg.exe Token: 34 1408 audiodg.exe Token: 35 1408 audiodg.exe Token: 36 1408 audiodg.exe Token: SeIncreaseQuotaPrivilege 1732 msiexec.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2456 wrote to memory of 2156 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 83 PID 2456 wrote to memory of 2156 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 83 PID 2456 wrote to memory of 1732 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 84 PID 2456 wrote to memory of 1732 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 84 PID 2456 wrote to memory of 1408 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 85 PID 2456 wrote to memory of 1408 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 85 PID 2456 wrote to memory of 2156 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 83 PID 2456 wrote to memory of 2156 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 83 PID 2456 wrote to memory of 2156 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 83 PID 2456 wrote to memory of 2156 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 83 PID 2456 wrote to memory of 2156 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 83 PID 2456 wrote to memory of 2156 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 83 PID 2456 wrote to memory of 2156 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 83 PID 2456 wrote to memory of 2156 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 83 PID 2456 wrote to memory of 1732 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 84 PID 2456 wrote to memory of 1732 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 84 PID 2456 wrote to memory of 1732 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 84 PID 2456 wrote to memory of 1732 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 84 PID 2456 wrote to memory of 1732 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 84 PID 2456 wrote to memory of 1732 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 84 PID 2456 wrote to memory of 1732 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 84 PID 2456 wrote to memory of 1732 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 84 PID 2456 wrote to memory of 1408 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 85 PID 2456 wrote to memory of 1408 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 85 PID 2456 wrote to memory of 1408 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 85 PID 2456 wrote to memory of 1408 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 85 PID 2456 wrote to memory of 1408 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 85 PID 2456 wrote to memory of 1408 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 85 PID 2456 wrote to memory of 1408 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 85 PID 2456 wrote to memory of 1408 2456 9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe 85 PID 2156 wrote to memory of 3420 2156 svchost.exe 56 PID 2156 wrote to memory of 3420 2156 svchost.exe 56 PID 3420 wrote to memory of 1868 3420 Explorer.EXE 91 PID 3420 wrote to memory of 1868 3420 Explorer.EXE 91 PID 3420 wrote to memory of 1868 3420 Explorer.EXE 91 PID 3420 wrote to memory of 4500 3420 Explorer.EXE 113 PID 3420 wrote to memory of 4500 3420 Explorer.EXE 113 PID 4500 wrote to memory of 1856 4500 C814.tmp.zx.exe 114 PID 4500 wrote to memory of 1856 4500 C814.tmp.zx.exe 114 PID 3236 wrote to memory of 540 3236 SearchIndexer.exe 124 PID 3236 wrote to memory of 540 3236 SearchIndexer.exe 124 PID 3236 wrote to memory of 4748 3236 SearchIndexer.exe 125 PID 3236 wrote to memory of 4748 3236 SearchIndexer.exe 125 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Users\Admin\AppData\Local\Temp\9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe"C:\Users\Admin\AppData\Local\Temp\9e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396bN.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
-
-
C:\Windows\system32\msiexec.exe"C:\Windows\system32\msiexec.exe"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\system32\audiodg.exe"C:\Windows\system32\audiodg.exe"3⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
-
-
C:\Users\Admin\AppData\Local\Temp\B602.tmp.ssg.exe"C:\Users\Admin\AppData\Local\Temp\B602.tmp.ssg.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1868
-
-
C:\Users\Admin\AppData\Local\Temp\C814.tmp.zx.exe"C:\Users\Admin\AppData\Local\Temp\C814.tmp.zx.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\C814.tmp.zx.exe"C:\Users\Admin\AppData\Local\Temp\C814.tmp.zx.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:3688
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2176
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3024
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2652
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3104
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3744
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2248
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:744
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3116
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4908
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1456
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1696
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2608
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2480
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3396
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3384
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1356
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
PID:1216
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4444
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
PID:4404
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
PID:3988
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2104
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:540
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:4748
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD56bf462cebcf3f11d5e9bc34d75cfc143
SHA11d0d9ef9b69370563b265e892628220109d59245
SHA2565bb9eb6e957d6736c71eb32efc904fd7d45f644d92993392868f569d416f9c04
SHA512f918f7a15aaedf4b5fe84fb9c47d9143b50b077c7a617c1e7648f798d9eef81b64cee8e384f6198d09af37b3c930c33f8442be5ad5a75a146d45abbb75da0f35
-
Filesize
1.4MB
MD54c46d0b58bec56d8ce8037c9790369fd
SHA1a40bba5aad9c7032ebda7ede9a4e4b8a7c12814b
SHA2562fcdbaf58c493969e2a6d970454cced55f6381964cc5740dad2c8ac94713ae9e
SHA51219aa55f97e799f4ba141fa898485b1caed50f8cd74cbfcc7909c9c7a4e7bff67336c1b58e0fc6799fa73350a0179df4f2e256db7cae3623f26a7f0d0efee3994
-
Filesize
1.5MB
MD56337ba022f46eb0e9ca5383711de1fe6
SHA1c66737c5fd0f01042f799751901197a7f2da7c58
SHA256e8086716867e9e2703d32e61809f1a0f7038b295b1eeccdd58c34632752d8068
SHA5126b3780f149c7dce2a646b65028f253f5f3415c5dc4c815f1495db83bd31b739a486a2e1c691677259d35b11911328238ee6df805630fd722a460eae406a261b9
-
Filesize
2.1MB
MD5a52848c19913d31eaac999d8c07e14cb
SHA11ebe325b08a5c760d538c114bf253a47acaa39e2
SHA256fddc6dc94ed68c6dd84e647bcb548f67a10d3fc9113dc2a1d08298d8c7c19520
SHA512369520c36ba54c58cb7368cde21c2afd5834eb798ebe6044ebc0ab9d2c1798dfe0ddfcbe3b8a3fa4acd384fd221b3b2a0222135e046656f1578bee95cbce3406
-
Filesize
300KB
MD57b6730ca4da283a35c41b831b9567f15
SHA192ef2fd33f713d72207209ec65f0de6eef395af5
SHA25694d7d12ae53ce97f38d8890383c2317ce03d45bd6ecaf0e0b9165c7066cd300c
SHA512ae2d10f9895e5f2af10b4fa87cdb7c930a531e910b55cd752b15dac77a432cc28eca6e5b32b95eeb21e238aaf2eb57e29474660cae93e734d0b6543c1d462ace
-
Filesize
5.6MB
MD5bb0be25bdd2121fa0bddf6ac59d4fa8d
SHA1c24f80b6344ecc9d6daacf5f838f0a279b146c13
SHA25650f3af8a4b14a6e63cdc7817ecb482d7045458b43d786d580b51e8f12d762106
SHA5126c7b69845cc483a06c68b319b87345240a2288c6183adfdbaaedcb3489af6e80247456bb31529b3981c86a05bb13ea958b1e90b012071fcc7b9267c8b54f0dab
-
Filesize
302KB
MD502701f8d91714c583decdd43635ff407
SHA1855b8eeffcd217735d1ba6395bbb6647140ecca4
SHA25641ba86941c72b5e160359e4b851251350958ca56e1d5aa897f0917eb51c5bd2e
SHA51242930c89943297413933857c8ceac9eec924ce3093fd78da8f75930abdda540407781caf2fe32d4e7019cbd20171485a9d6389b4c03b0600edbaac597577c599
-
Filesize
87KB
MD50e675d4a7a5b7ccd69013386793f68eb
SHA16e5821ddd8fea6681bda4448816f39984a33596b
SHA256bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66
-
Filesize
120KB
MD5f1e33a8f6f91c2ed93dc5049dd50d7b8
SHA123c583dc98aa3f6b8b108db5d90e65d3dd72e9b4
SHA2569459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4
SHA512229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5
-
Filesize
19KB
MD5b56d69079d2001c1b2af272774b53a64
SHA167ede1c5a71412b11847f79f5a684eabaf00de01
SHA256f3a41d882544202b2e1bdf3d955458be11fc7f76ba12668388a681870636f143
SHA5127eb8fe111dd2e1f7e308b622461eb311c2b9fc4ef44c76e1def6c524eb7281d5522af12211f1f91f651f2b678592d2997fe4cd15724f700deaff314a1737b3a8
-
Filesize
19KB
MD55af784f599437629deea9fe4e8eb4799
SHA13c891b920fd2703edd6881117ea035ced5a619f6
SHA2567e5bd3ee263d09c7998e0d5ffa684906ddc56da61536331c89c74b039df00c7c
SHA5124df58513cf52511c0d2037cdc674115d8ed5a0ed4360eb6383cc6a798a7037f3f7f2d587797223ed7797ccd476f1c503b3c16e095843f43e6b87d55ad4822d70
-
Filesize
19KB
MD5e1ca15cf0597c6743b3876af23a96960
SHA1301231f7250431bd122b12ed34a8d4e8bb379457
SHA256990e46d8f7c9574a558ebdfcb8739fbccba59d0d3a2193c9c8e66807387a276d
SHA5127c9dacd882a0650bf2f553e9bc5647e6320a66021ac4c1adc802070fd53de4c6672a7bacfd397c51009a23b6762e85c8017895e9347a94d489d42c50fa0a1c42
-
Filesize
19KB
MD58d6599d7c4897dcd0217070cca074574
SHA125eacaaa4c6f89945e97388796a8c85ba6fb01fb
SHA256a011260fafaaaefd7e7326d8d5290c6a76d55e5af4e43ffa4de5fea9b08fa928
SHA512e8e2e7c5bff41ccaa0f77c3cfee48dac43c11e75688f03b719cc1d716db047597a7a2ce25b561171ef259957bdcd9dd4345a0e0125db2b36f31698ba178e2248
-
Filesize
22KB
MD5642b29701907e98e2aa7d36eba7d78b8
SHA116f46b0e057816f3592f9c0a6671111ea2f35114
SHA2565d72feac789562d445d745a55a99536fa9302b0c27b8f493f025ba69ba31941c
SHA5121beab2b368cc595beb39b2f5a2f52d334bc42bf674b8039d334c6d399c966aff0b15876105f0a4a54fa08e021cb44907ed47d31a0af9e789eb4102b82025cf57
-
Filesize
19KB
MD5f0c73f7454a5ce6fb8e3d795fdb0235d
SHA1acdd6c5a359421d268b28ddf19d3bcb71f36c010
SHA2562a59dd891533a028fae7a81e690e4c28c9074c2f327393fab17329affe53fd7b
SHA512bd6cf4e37c3e7a1a3b36f42858af1b476f69caa4ba1fd836a7e32220e5eff7ccc811c903019560844af988a7c77cc41dc6216c0c949d8e04516a537da5821a3e
-
Filesize
19KB
MD57d4d4593b478b4357446c106b64e61f8
SHA18a4969c9e59d7a7485c8cc5723c037b20dea5c9d
SHA2560a6e2224cde90a0d41926e8863f9956848ffbf19848e8855bd08953112afc801
SHA5127bc9c473705ec98ba0c1da31c295937d97710cedefc660f6a5cb0512bae36ad23bebb2f6f14df7ce7f90ec3f817b02f577317fdd514560aab22cb0434d8e4e0b
-
Filesize
19KB
MD57bc1b8712e266db746914db48b27ef9c
SHA1c76eb162c23865b3f1bd7978f7979d6ba09ccb60
SHA256f82d05aea21bcf6337ef45fbdad6d647d17c043a67b44c7234f149f861a012b9
SHA512db6983f5f9c18908266dbf01ef95ebae49f88edc04a0515699ef12201ac9a50f09939b8784c75ae513105ada5b155e5330bd42d70f8c8c48fe6005513aefad2a
-
Filesize
19KB
MD5b071e761cea670d89d7ae80e016ce7e6
SHA1c675be753dbef1624100f16674c2221a20cf07dd
SHA25663fb84a49308b857804ae1481d2d53b00a88bbd806d257d196de2bd5c385701e
SHA512f2ecbdaba3516d92bd29dcce618185f1755451d95c7dbbe23f8215318f6f300a9964c93ec3ed65c5535d87be82b668e1d3025a7e325af71a05f14e15d530d35f
-
Filesize
19KB
MD51dccf27f2967601ce6666c8611317f03
SHA1d8246df2ed9ec4a8a719fd4b1db4fd8a71ef679b
SHA2566a83ab9a413afd74d77a090f52784b0128527bee9cb0a4224c59d5c75fc18387
SHA51270b96d69d609211f8b9e05fa510ea7d574ae8da3a6498f5c982aee71635b8a749162247055b7ba21a884bfa06c1415b68912c463f0f1b6ffb9049f3532386877
-
Filesize
19KB
MD5569a7ac3f6824a04282ff708c629a6d2
SHA1fc0d78de1075dfd4c1024a72074d09576d4d4181
SHA25684c579a8263a87991ca1d3aee2845e1c262fb4b849606358062093d08afdc7a2
SHA512e9cbff82e32540f9230cead9063acb1aceb7ccc9f3338c0b7ad10b0ac70ff5b47c15944d0dce33ea8405554aa9b75de30b26ae2ca55db159d45b6e64bc02a180
-
Filesize
21KB
MD51d75e7b9f68c23a195d408cf02248119
SHA162179fc9a949d238bb221d7c2f71ba7c1680184c
SHA25667ebe168b7019627d68064043680674f9782fda7e30258748b29412c2b3d4c6b
SHA512c2ee84a9aeac34f7b51426d12f87bb35d8c3238bb26a6e14f412ea485e5bd3b8fb5b1231323d4b089cf69d8180a38ddd7fd593cc52cbdf250125ad02d66eea9d
-
Filesize
19KB
MD5623283471b12f1bdb83e25dbafaf9c16
SHA1ecbba66f4dca89a3faa3e242e30aefac8de02153
SHA2569ca500775fee9ff69b960d65040b8dc415a2efde2982a9251ee6a3e8de625bc7
SHA51254b69ffa2c263be4ddadca62fa2867fea6148949d64c2634745db3dcbc1ba0ecf7167f02fa53efd69eaaee81d617d914f370f26ca16ee5850853f70c69e9a61f
-
Filesize
19KB
MD561f70f2d1e3f22e976053df5f3d8ecb7
SHA17d224b7f404cde960e6b7a1c449b41050c8e9c58
SHA2562695761b010d22fdfda2b5e73cf0ac7328ccc62b4b28101d5c10155dd9a48020
SHA5121ddc568590e9954db198f102be99eabb4133b49e9f3b464f2fc7f31cc77d06d5a7132152f4b331332c42f241562ee6c7bf1c2d68e546db3f59ab47eaf83a22cf
-
Filesize
20KB
MD51322690996cf4b2b7275a7950bad9856
SHA1502e05ed81e3629ea3ed26ee84a4e7c07f663735
SHA2565660030ee4c18b1610fb9f46e66f44d3fc1cf714ecce235525f08f627b3738d7
SHA5127edc06bfa9e633351291b449b283659e5dd9e706dd57ade354bce3af55df4842491af27c7721b2acc6948078bdfc8e9736fec46e0641af368d419c7ed6aebd44
-
Filesize
21KB
MD595612a8a419c61480b670d6767e72d09
SHA13b94d1745aff6aafeff87fed7f23e45473f9afc9
SHA2566781071119d66757efa996317167904697216ad72d7c031af4337138a61258d4
SHA512570f15c2c5aa599332dd4cfb3c90da0dd565ca9053ecf1c2c05316a7f623615dd153497e93b38df94971c8abf2e25bc1aaaf3311f1cda432f2670b32c767012a
-
Filesize
19KB
MD5d6ad0f2652460f428c0e8fc40b6f6115
SHA11a5152871abc5cf3d4868a218de665105563775e
SHA2564ef09fa6510eeebb4855b6f197b20a7a27b56368c63cc8a3d1014fa4231ab93a
SHA512ceafeee932919bc002b111d6d67b7c249c85d30da35dfbcebd1f37db51e506ac161e4ee047ff8f7bf0d08da6a7f8b97e802224920bd058f8e790e6fa0ee48b22
-
Filesize
18KB
MD5654d95515ab099639f2739685cb35977
SHA19951854a5cf407051ce6cd44767bfd9bd5c4b0cc
SHA256c4868e4cebdf86126377a45bd829d88449b4aa031c9b1c05edc47d6d395949d4
SHA5129c9dd64a3ad1136ba62cca14fc27574faaebc3de1e371a86b83599260424a966dfd813991a5ef0b2342e0401cb99ce83cd82c19fcae73c7decdb92bac1fb58a8
-
Filesize
19KB
MD5e6b7681ccc718ddb69c48abe8709fdd6
SHA1a518b705746b2c6276f56a2f1c996360b837d548
SHA2564b532729988224fe5d98056cd94fc3e8b4ba496519f461ef5d9d0ff9d9402d4b
SHA51289b20affaa23e674543f0f2e9b0a8b3ecd9a8a095e19d50e11c52cb205dafdbf2672892fd35b1c45f16e78ae9b61525de67dbe7673f8ca450aa8c42feeac0895
-
Filesize
19KB
MD5bcb412464f01467f1066e94085957f42
SHA1716c11b5d759d59dbfec116874e382d69f9a25b6
SHA256f040b6e07935b67599ea7e32859a3e93db37ff4195b28b4451ad0d274db6330e
SHA51279ec0c5ee21680843c8b7f22da3155b7607d5be269f8a51056cc5f060ad3a48ced3b6829117262aba1a90e692374b59ddfe92105d14179f631efc0c863bfdecb
-
Filesize
21KB
MD5b98598657162de8fbc1536568f1e5a4f
SHA1f7c020220025101638fd690d86c53d895a03e53c
SHA256f596c72be43db3a722b7c7a0fd3a4d5aea68267003986fbfd278702af88efa74
SHA512ad5f46a3f4f6e64a5dcb85c328f1b8daefa94fc33f59922328fdcfedc04a8759f16a1a839027f74b7d7016406c20ac47569277620d6b909e09999021b669a0d6
-
Filesize
19KB
MD5b751571148923d943f828a1deb459e24
SHA1d4160404c2aa6aeaf3492738f5a6ce476a0584a6
SHA256b394b1142d060322048fb6a8ac6281e4576c0e37be8da772bc970f352dd22a20
SHA51226e252ff0c01e1e398ebddcc5683a58cdd139161f2b63b65bde6c3e943e85c0820b24486859c2c597af6189de38ca7fe6fa700975be0650cb53c791cd2481c9d
-
Filesize
20KB
MD58aea681e0e2b9abbf73a924003247dbb
SHA15bafc2e0a3906723f9b12834b054e6f44d7ff49f
SHA256286068a999fe179ee91b289360dd76e89365900b130a50e8651a9b7ece80b36d
SHA51208c83a729036c94148d9a5cbc03647fa2adea4fba1bbb514c06f85ca804eefbf36c909cb6edc1171da8d4d5e4389e15e52571baa6987d1f1353377f509e269ab
-
Filesize
821KB
MD5f4981249047e4b7709801a388e2965af
SHA142847b581e714a407a0b73e5dab019b104ec9af2
SHA256b191e669b1c715026d0732cbf8415f1ff5cfba5ed9d818444719d03e72d14233
SHA512e8ef3fb3c9d5ef8ae9065838b124ba4920a3a1ba2d4174269cad05c1f318bc9ff80b1c6a6c0f3493e998f0587ef59be0305bc92e009e67b82836755470bc1b13
-
Filesize
32KB
MD54424baf6ed5340df85482fa82b857b03
SHA1181b641bf21c810a486f855864cd4b8967c24c44
SHA2568c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79
SHA5128adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33
-
Filesize
4.0MB
MD5d2a8a5e7380d5f4716016777818a32c5
SHA1fb12f31d1d0758fe3e056875461186056121ed0c
SHA25659ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9
SHA512ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7
-
Filesize
1021KB
MD54e326feeb3ebf1e3eb21eeb224345727
SHA1f156a272dbc6695cc170b6091ef8cd41db7ba040
SHA2563c60056371f82e4744185b6f2fa0c69042b1e78804685944132974dd13f3b6d9
SHA512be9420a85c82eeee685e18913a7ff152fcead72a90ddcc2bcc8ab53a4a1743ae98f49354023c0a32b3a1d919bda64b5d455f6c3a49d4842bbba4aa37c1d05d67
-
Filesize
12KB
MD5fc273abfb9f1f5191737e95f3b6c2116
SHA1290fd18d83b5b458a1c09d1834d5aa62e519580b
SHA256c7bb64de873ed2e060d9b4e88e4f4de10fdd1c47a4adb64f3cec379dff9a81af
SHA5127ff9f49d31f50c312b06109d43536e095909586e9795386478005147af59fe149c5ed74d13aca7968b32274c89db52627c120eae40ae9e3a408c0efeaebeabfa
-
Filesize
1.5MB
MD5885ce6288fc5b8553f8c58693423f850
SHA1a46c0c6068b2b8bf94a71fce7c21a46a01c5c7c9
SHA2569e5662de4a9d33cc454e7f9a3a256cb69682061efcec80b952a4b1cb780a396b
SHA51226e76bb0f8859d392ff4f1d8dce373f110c274293ca3dfb8e4bd19ff05f9d2b327640f0696fd1cea270f88d1840b0746f411eecd82bed884da2642d3e0489034
-
Filesize
1.2MB
MD513b277a4f06f38afb54e8a66ea2e68c3
SHA12a7505a1eebbb1f6b5b4ee8ee7cd81600c0f93b3
SHA2560aafaca44da28e59a3d624f8146241f5e64ad312ab1be1aa49b76bc575497c79
SHA5128bfe97bf32215a4dfe40ba028162d20296f10a91c3aa358f35efd75d2d922d968ed63e7ceca11b3d7bfd4acddb59dcdaee955710cf0d0e5fb0ae47c64c9147e1
-
Filesize
1.7MB
MD5e2392c7d7d504358c3724d8a1c74ecda
SHA1779d8c6858d72c727faf299e3348464073bfc176
SHA256bc44c18d5f606773c09ad982b1b780441d688e9144ab9bc563fa3cea03d983f2
SHA5129c4bc1c7034c44e413eaf27e35a51c86bded279af064b8b68ec672df56f7d5ab9bd3b560661dc63f4fe6cc782d5d5a94291efedc3af5428fdb8ab881c790d28e
-
Filesize
1.3MB
MD557c457156a9aec8aa4b26fe97326d4c3
SHA1640cc82e5c4d134d741e828025677ddf7e79e2f5
SHA256932db98f9f4a056432c81659354f75b728102b755ce85d77ab53841093a337f9
SHA5129d38362dcb15d6f1dde0330227a1536cd8c308be8c2c62802ad9757fb714cd18fdd1dc0b9f47a429cb2aa1b6a2a4c0843d6ce69876432305eb6f45434c1fc351
-
Filesize
1.2MB
MD54b2f0e8bf0b8f0dc016a796c0cafe033
SHA1bf6b8e300382f06cb85ae0c66e4998db1f440498
SHA256b97e04b353602cc4816ac248ac59711f1d3af4b3c035e6680f6fd0f2f4b94c6f
SHA512dae4346ff4c176cfcd90dd12746abba51a3c60d2754de21f54eed4c9c02f1c8a929c147ee8671d53c7c3283cf385a2d140c50908e3578936f85f9c49e14f2614
-
Filesize
1.2MB
MD5eb4bf30fc2289974e20d61e9c6f455c8
SHA12e7905f935735ca3ad56e096ccb51632a976db37
SHA2567e8849a7daac99cd3ef607d918b7c807349c16b4ccbc1c1ae4df88f49a987aa9
SHA512dc952a254af3c54b0d60fa1a14b08e37a510ea725e4f84d80cfe55494793bca26180794fe838cefb893dfbc627c7299580580dacfac750e3f850e8940972cb1c
-
Filesize
1.6MB
MD515cbb9e750217cfc1bffb79ba47acc11
SHA188f20218e624856836d99bb21bccc285fd561761
SHA2568b92394b1bccb67836ab27ef3ae7f4b309b44869e68b80d3e8faa98f361f5ae5
SHA512c662f46ed66894b88a330b2d1fdb304e3a892b55254cfd0a6a82a82e266aea3f95d91f6dff690094b2f3e856373b09502f9ba4bfdf5eab8935aa6ca246e4a166
-
Filesize
1.3MB
MD52dfb97dec4dee8cf19bb6d6fece1be16
SHA101dec3260c3b870e6707a7cece8ece2e18f25042
SHA256ebd799b56f027893446d4a60d61f2d4faa1783ad6a3555c664d84ec8f9fa502d
SHA5124262d2a34f9479f94eeb2164263d5811097edfc9e243314db86bcc606a9b3d3be2dbdde4ccbe337af3601fe85afe8a530edb1c7e325b1487d36de0115f5514f8
-
Filesize
1.4MB
MD52de548516ee6cc3983790dbabcc1ebdc
SHA1ac58b635a80d598567074773513ca78056671958
SHA256e84114e6f4541f4644bf28c8c6f53d4183cadc4119205b868ce652b4c823d6bc
SHA5128e85783758e89d150494ea36166ef5631921233b96d60975b8476f6608a916c0a70d11fa082c216272124a7a6d11a2ee0e85497c1b6de78dc7133dc7c9fde3b7
-
Filesize
1.8MB
MD58836d70da8e30d0100dbbef065159572
SHA1f47445ab96f4433d018ab3a7275a2f4498073420
SHA2567df30e49f805a3f1ef3facf8702bbd0b4f362cbc235082720c972e8568cc5016
SHA51218507a3ef5c1b90d520e4ca8c86bccedfdbc33a3b7ecd49dd6c0117d18e01adb983723d7aa29cc035c4c841a3092dc03d53a97dce8291865adeb8754b7645208
-
Filesize
1.4MB
MD507df366d2d7af5d3fc6c89e65fc95010
SHA1a7e73c0f7b8d0daee0619efc31956cff95f1d9d3
SHA25699433c0ced0bf014c6ac78ab8bbf6217de8a75410ee3274f3c04da606bc773cf
SHA512ba15107960f6e7e06e8180aa28ef0998ea0bf843ae0070654a579e014cf29d7649a42a03a6571e0a8ddc2cb95547648b4576aca178c528f53906efeeafcb1bda
-
Filesize
1.5MB
MD5b0ccb4ee7c22c29a5ce4d60fc00419d7
SHA138f2b9632bb97aab268e6a254ff8a9dd78136ac6
SHA256b22f169ef357513a4bda7b7e63004068707389dbfd037abd49e0e736d94ac7ec
SHA512f9779bfdb6c9d8ab3bc2a59bdaf0df8257da3992d7dd47da9b89a031c53e4e51c5cd71084ae29f0188ae1b811075265ccddaaf0623c43dd13ceff8b1aebc9cd8
-
Filesize
2.0MB
MD5214ec7125d827fb394b067fc2f770b3c
SHA1112ab0c69755a4d4f3a6135815272e3ddb790a0a
SHA256cecde710a2c5ffb062ded7b94294af9087899ebb30ac4dfbd51dcfc8c0a3c1ef
SHA512a85ec680bfd0ee16a345e1aff5d2aa15e92b955c47e5907d14df5383748af1ad395411258e0113a62c02d26cf7b056c8ff8bf27d6bbc373df7146dd62b731e4c
-
Filesize
1.3MB
MD5ee2d4a1d93c41ae09f66854bfd609449
SHA120afc44d08b49a3fb5766494275e7ce8a4aff7f9
SHA256b1efa1f2fdfde4490b4af1c2f709d32c562fc5f931b3193b093ee3c3f4dfbf6b
SHA512492b654fa2781db14833856ce6186d9566a184ce1c807e53030f0f113b1a343d356e12bbbe4fc72c451625388780500772f535e56d9b319fdac7f07bf1598edd
-
Filesize
1.4MB
MD59b71bdb0852fd5b4150b2d3f36601e84
SHA14245d004eb2ca441d8edf90565692c709f596c1e
SHA2566b7bef63e238d26bd3add7db3ebc0e118716f36749655ca3a9fe6e6e77a4dde7
SHA51270d18522fbf5680bf06ac88fee7f680702c9403e059df5dd38aba6e50e5e13112e30b256fe7daa117ccdd580a0acb982c96d393a196c9174ea4f6a8deb0a74dc
-
Filesize
1.2MB
MD580a746455f23fdc260142f5b4dbda37d
SHA170c4a07742de9fff029ffa4b045b9647eb2f0c08
SHA2566a58c3aa7a93aa9c827b1ed403a9d769bf8d586505a14e2feb68ee130d9e2301
SHA512f75e9248f1a040a8994a66bc6402c68b5dc5597fce6de12fde52aef77a147da583d131c42ee01234f56a5c26512505524231bd6d7eca31940146628e49a49e02
-
Filesize
1.3MB
MD5ec98164dd2904a0bfa71874fc93f00d6
SHA1272482b2cd02b7530cb3e63922d6cd4841713c9e
SHA2566f19a51fe0a43bbedc431241686e0e8946bc17b7eef47d13327e8e86e896ec65
SHA512e89f6635d9c41502b5ca2a4e1ed87673131d7af68aeacb2306f81a73870d6f92e4e0e94baf1b206280ab7aa9bee7b006e7cb44246b70be1361e5caba289dd74d
-
Filesize
1.4MB
MD514c43b4530e7309a0a5742ffeba47c02
SHA15e6d9e0b0d77667d4282163c127eb862548d298f
SHA2566dbab8522ffdbce5c670247ca89011ad4e68c97afbf3eda0b2d60633b21cae97
SHA512252f9e50cdda60b03c4ada55f00c7c9538050c63be0c616f04582cd7e938c78649f0dcb29d1a6256f7f7170f189ad002c5d3d7590b3e656b619724a7c3cfb0fa
-
Filesize
2.1MB
MD54d4c1269683cafe0d3c25ec54cd01720
SHA1c6df4f079c4d94b59df439b0854704dfc23b16da
SHA2564a072dbd41d88b9ce4d62438a69c5b388492c515330da1efb8f724c2514d0ef1
SHA5126201836b9c9cffa4594e0d812058585b52f8f133af58023c41c99e36f5caa6c2cbc41165cbdabcdfc527de988a4bafa0ffffaed36d5808f5409899da1759ceef