Analysis
-
max time kernel
30s -
max time network
31s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2025, 06:47
Behavioral task
behavioral1
Sample
sultan cracked.exe
Resource
win7-20241010-en
General
-
Target
sultan cracked.exe
-
Size
2.0MB
-
MD5
000142d2c4961a9715157529ee679f27
-
SHA1
e12ef916e551260a295cad737602c897781cc656
-
SHA256
dbe3ee56b5cc22b5309005a8624b7cc24f5f7260e9bc38d8d223875f2fb81ba4
-
SHA512
b76fbacdc4bc8172c948d2d68b2506e4c69b43d4462765dbdab37cbc773c081132b555ed072e39e5a5666f734d62374512d9ae4a0660bc90c8e7db0218bba0dc
-
SSDEEP
24576:Vof3ZI06UZjoiAuB2Tu6kbRTYnnk2FbMNyBo4kx929bL3Hnx1I88:a/Zsxu0zq5QnJB+kn3HnxW
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral2/files/0x000800000002424b-27.dat family_umbral behavioral2/memory/5872-35-0x000001AA30650000-0x000001AA30690000-memory.dmp family_umbral -
Umbral family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation sultan cracked.exe -
Executes dropped EXE 24 IoCs
pid Process 2360 ERNS X!TERS.exe 5872 svchost.exe 2796 alg.exe 3956 DiagnosticsHub.StandardCollector.Service.exe 5504 fxssvc.exe 3296 elevation_service.exe 4764 elevation_service.exe 3616 maintenanceservice.exe 620 msdtc.exe 820 OSE.EXE 2292 PerceptionSimulationService.exe 4480 perfhost.exe 3252 locator.exe 1744 SensorDataService.exe 3068 snmptrap.exe 1116 spectrum.exe 5880 ssh-agent.exe 3688 TieringEngineService.exe 5380 AgentService.exe 5444 vds.exe 4040 vssvc.exe 4396 wbengine.exe 5240 WmiApSrv.exe 5780 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 3 raw.githubusercontent.com 5 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 ip-api.com -
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\75772edb89f5d741.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe ERNS X!TERS.exe File opened for modification C:\Windows\system32\fxssvc.exe ERNS X!TERS.exe File opened for modification C:\Windows\SysWow64\perfhost.exe ERNS X!TERS.exe File opened for modification C:\Windows\system32\locator.exe ERNS X!TERS.exe File opened for modification C:\Windows\System32\SensorDataService.exe ERNS X!TERS.exe File opened for modification C:\Windows\System32\snmptrap.exe ERNS X!TERS.exe File opened for modification C:\Windows\system32\spectrum.exe ERNS X!TERS.exe File opened for modification C:\Windows\system32\AppVClient.exe ERNS X!TERS.exe File opened for modification C:\Windows\system32\msiexec.exe ERNS X!TERS.exe File opened for modification C:\Windows\system32\TieringEngineService.exe ERNS X!TERS.exe File opened for modification C:\Windows\system32\AgentService.exe ERNS X!TERS.exe File opened for modification C:\Windows\System32\vds.exe ERNS X!TERS.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe ERNS X!TERS.exe File opened for modification C:\Windows\system32\SearchIndexer.exe ERNS X!TERS.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe ERNS X!TERS.exe File opened for modification C:\Windows\system32\wbengine.exe ERNS X!TERS.exe File opened for modification C:\Windows\System32\alg.exe ERNS X!TERS.exe File opened for modification C:\Windows\system32\dllhost.exe ERNS X!TERS.exe File opened for modification C:\Windows\System32\msdtc.exe ERNS X!TERS.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe ERNS X!TERS.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe ERNS X!TERS.exe File opened for modification C:\Windows\system32\vssvc.exe ERNS X!TERS.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe ERNS X!TERS.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe ERNS X!TERS.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe ERNS X!TERS.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe ERNS X!TERS.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe ERNS X!TERS.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe ERNS X!TERS.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84812\javaws.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe ERNS X!TERS.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe ERNS X!TERS.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe ERNS X!TERS.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84812\javaw.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe ERNS X!TERS.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe ERNS X!TERS.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe ERNS X!TERS.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe ERNS X!TERS.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE ERNS X!TERS.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe ERNS X!TERS.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe ERNS X!TERS.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe ERNS X!TERS.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe ERNS X!TERS.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\0704.wav ERNS X!TERS.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe ERNS X!TERS.exe File created C:\Windows\ACTIVADA.wav ERNS X!TERS.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f059d31c529ddb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c054f214529ddb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d33e1d15529ddb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b2f7216529ddb01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f7d8016529ddb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd8b4a15529ddb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a50ae41c529ddb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002686c615529ddb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe 2360 ERNS X!TERS.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2360 ERNS X!TERS.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2360 ERNS X!TERS.exe Token: SeDebugPrivilege 5872 svchost.exe Token: SeIncreaseQuotaPrivilege 1564 wmic.exe Token: SeSecurityPrivilege 1564 wmic.exe Token: SeTakeOwnershipPrivilege 1564 wmic.exe Token: SeLoadDriverPrivilege 1564 wmic.exe Token: SeSystemProfilePrivilege 1564 wmic.exe Token: SeSystemtimePrivilege 1564 wmic.exe Token: SeProfSingleProcessPrivilege 1564 wmic.exe Token: SeIncBasePriorityPrivilege 1564 wmic.exe Token: SeCreatePagefilePrivilege 1564 wmic.exe Token: SeBackupPrivilege 1564 wmic.exe Token: SeRestorePrivilege 1564 wmic.exe Token: SeShutdownPrivilege 1564 wmic.exe Token: SeDebugPrivilege 1564 wmic.exe Token: SeSystemEnvironmentPrivilege 1564 wmic.exe Token: SeRemoteShutdownPrivilege 1564 wmic.exe Token: SeUndockPrivilege 1564 wmic.exe Token: SeManageVolumePrivilege 1564 wmic.exe Token: 33 1564 wmic.exe Token: 34 1564 wmic.exe Token: 35 1564 wmic.exe Token: 36 1564 wmic.exe Token: SeIncreaseQuotaPrivilege 1564 wmic.exe Token: SeSecurityPrivilege 1564 wmic.exe Token: SeTakeOwnershipPrivilege 1564 wmic.exe Token: SeLoadDriverPrivilege 1564 wmic.exe Token: SeSystemProfilePrivilege 1564 wmic.exe Token: SeSystemtimePrivilege 1564 wmic.exe Token: SeProfSingleProcessPrivilege 1564 wmic.exe Token: SeIncBasePriorityPrivilege 1564 wmic.exe Token: SeCreatePagefilePrivilege 1564 wmic.exe Token: SeBackupPrivilege 1564 wmic.exe Token: SeRestorePrivilege 1564 wmic.exe Token: SeShutdownPrivilege 1564 wmic.exe Token: SeDebugPrivilege 1564 wmic.exe Token: SeSystemEnvironmentPrivilege 1564 wmic.exe Token: SeRemoteShutdownPrivilege 1564 wmic.exe Token: SeUndockPrivilege 1564 wmic.exe Token: SeManageVolumePrivilege 1564 wmic.exe Token: 33 1564 wmic.exe Token: 34 1564 wmic.exe Token: 35 1564 wmic.exe Token: 36 1564 wmic.exe Token: SeAuditPrivilege 5504 fxssvc.exe Token: SeRestorePrivilege 3688 TieringEngineService.exe Token: SeManageVolumePrivilege 3688 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5380 AgentService.exe Token: SeBackupPrivilege 4040 vssvc.exe Token: SeRestorePrivilege 4040 vssvc.exe Token: SeAuditPrivilege 4040 vssvc.exe Token: SeBackupPrivilege 4396 wbengine.exe Token: SeRestorePrivilege 4396 wbengine.exe Token: SeSecurityPrivilege 4396 wbengine.exe Token: 33 5780 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5780 SearchIndexer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2360 ERNS X!TERS.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3500 wrote to memory of 2360 3500 sultan cracked.exe 86 PID 3500 wrote to memory of 2360 3500 sultan cracked.exe 86 PID 3500 wrote to memory of 5872 3500 sultan cracked.exe 87 PID 3500 wrote to memory of 5872 3500 sultan cracked.exe 87 PID 5872 wrote to memory of 1564 5872 svchost.exe 90 PID 5872 wrote to memory of 1564 5872 svchost.exe 90 PID 2360 wrote to memory of 3468 2360 ERNS X!TERS.exe 102 PID 2360 wrote to memory of 3468 2360 ERNS X!TERS.exe 102 PID 3468 wrote to memory of 3156 3468 cmd.exe 104 PID 3468 wrote to memory of 3156 3468 cmd.exe 104 PID 3468 wrote to memory of 5820 3468 cmd.exe 106 PID 3468 wrote to memory of 5820 3468 cmd.exe 106 PID 3468 wrote to memory of 1852 3468 cmd.exe 107 PID 3468 wrote to memory of 1852 3468 cmd.exe 107 PID 5780 wrote to memory of 3608 5780 SearchIndexer.exe 125 PID 5780 wrote to memory of 3608 5780 SearchIndexer.exe 125 PID 5780 wrote to memory of 5492 5780 SearchIndexer.exe 126 PID 5780 wrote to memory of 5492 5780 SearchIndexer.exe 126 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sultan cracked.exe"C:\Users\Admin\AppData\Local\Temp\sultan cracked.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\ERNS X!TERS.exe"C:\Users\Admin\AppData\Local\Temp\ERNS X!TERS.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ERNS X!TERS.exe" MD5 | find /i /v "md5" | find /i /v "certutil"3⤵
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ERNS X!TERS.exe" MD54⤵PID:3156
-
-
C:\Windows\system32\find.exefind /i /v "md5"4⤵PID:5820
-
-
C:\Windows\system32\find.exefind /i /v "certutil"4⤵PID:1852
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5872 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2796
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3956
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4676
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5504
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3296
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4764
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3616
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:620
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:820
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2292
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4480
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3252
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1744
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3068
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1116
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5880
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1548
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5380
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5444
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5240
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5780 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3608
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5492
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD50b10198b0e2004492f1916eebcb15277
SHA18dfc14c121d62cf935d645a0d65fcbd776836168
SHA256c4c97fc7ac49e42cc9ac56ead27da38682c35bc0851ee0dafc9e331f88d5455e
SHA51265002bfb03b5528bcdd269b4a47afca573b5e6f0b12cd8a3e6db979baa28a09958653e381650d8676176fc1062802c39dadf86538ed9c6a26c336fdaebc055ba
-
Filesize
1.4MB
MD561b1d6782338b392627c7b10e39dcffc
SHA12198d92f67c5b28ec37f5ce7312a8084690a4b7b
SHA256f92ef29d200112fd83135b1d47d22f50d9d5674ec639d68335ece122b72ae5ae
SHA5121b1e381ca219b179d528de19e036eac06fba73f5abdef6363d54bc5abe241ed8c5184d3f181267290cc93fd43d8e5126e6b6dca54d87fd3c33c29af05a27ba46
-
Filesize
1.4MB
MD5c7c66562a195fefeb9ba7445a71e848b
SHA18201ea178cbe775c0e6ed758e06f41259277af50
SHA256a1c6585cf62a98fc2b1b18a229f3c95e9ceeb4dfdf5d90d175bfbfec1780e143
SHA512ee443bd7f03adf1a06e9b10a015f7ed34d00cef6eed4eb5d5ead727345b24ae508de4518692716d022e29f51aed035f309e69f58d5c765c0af44211b047ab09f
-
Filesize
2.3MB
MD58ab6c8a2c81c764d04add2fe31b70fd5
SHA1d327dd983013bd0edb97880d133838cfe004d506
SHA2566249603d32e229294b24e530f5c9f61fdeccab7f31ffeacf18d1cf641e51c611
SHA5123c8a36fc0caca9261a3ce7efc31c369d6481ba5982205424636c2ecd8fb3ce826fd868ea1c0288cfb2527b6016965168f0b1a8145bb4e11e6c394fb6002a24f4
-
Filesize
1.8MB
MD58c110834053f57e14ced24c9e8b135c0
SHA1e244e2a297059871cb28b75b1ea755d356ae60ec
SHA25663ad8f6ab5596ed4ea35936d726fdecf520d5f70d6a976c765d8c59341f1e118
SHA51277c25c6f2cb8aa004760c845358074bf2995382965578048ca7be3b32a10646983dfef6dda3ccbc022b7546bd12da5eb293406c39ba44e7679879750c0ac58b7
-
Filesize
230KB
MD5e8b96113d79f611db9ef00ef0a3f9dfe
SHA12b1031c270cbb9aa3f0f60f41aca340c43540e6a
SHA2564611c4fed4d9baf0bff00023a23a5e039208452da1460c4d0ea0ff90a04ec54e
SHA5127121fe3982912f345ac07bbe823ccc04e5a03d9d4097ac167e3aa5544803aef31a76cc9395337b3d0f8483e626e9567f113bb89db8c60375fa84ba65a50f1f7d
-
Filesize
1.2MB
MD53bd648170d5758917f107dfe34722da4
SHA1c74768db970b71e13b577b233859b96fed6cdd6e
SHA256d4eff2764b9efa092dbd1c86226567519541096cbdc58002ef923aeb7caf558a
SHA5124eea0d717755442f4d64fdc340cf058aa4e9a4ee4ee7b8776ed6c2e7f0dfcb2f31a0a01992f22c37f47bf18ecff936387a3d22bdfad7ad1761fb56051dbcf707
-
Filesize
1.7MB
MD5964b62da1bdbcca697338427d21640e6
SHA1573c6fc0decdf44875c819b7c238581f9bdaefea
SHA2567b9ca099e90e2e0fe4f9b5856b496f02966f066d3e6748d51781cda68033865e
SHA51232dff1e63d05c185aff3c5a0c56f238ccd71afc2695a7a0b714bfa13459bd4bef3724460bc7d4855530cc4d4c767e06d3ff7dac14fe49e2361c01a495c739e8d
-
Filesize
1.3MB
MD52859a3788429560cc476750a91bc52e3
SHA1ffa7d0e2bffbc95de50fe97482d756c0e7a1871f
SHA2564b562fa98d7f141707719530989c03c8d72832d242f28e6b36720d40e508797a
SHA512f8f7e151b89e44ef0d5bca309b9b6585131065a34408227bfb313cd9e0f12104ec7f8f33ed9c9661103fdfb574bab07a7e2018ce571d070243b9e28eae4a2fc9
-
Filesize
1.2MB
MD5c2c9bf591c5cb00e14c7395875955219
SHA1c3fb41cf7ca597a27e034f6886d828cb7ba1b692
SHA2566966eab846d9daf8077287cd56d48e090599e119b007a3bac6a6a0b53e39b5d5
SHA5129616a0a2fe3c19fa5441bece77a4511a8ec9f90960a574e45cfae282f046fd59ae9b0e04942821451f5bfc0a7120487fe2b7cc2f619ba12923871c6fa7c5f43d
-
Filesize
1.2MB
MD5257ceec2be44734cff0744e9999fd598
SHA10117da2a3d48e85b570d38dae298a499b132e8f1
SHA256cef95521a3143a8b6687a25f0adb3bb5a008a0b32e6804f44dfde5985d89aaa8
SHA5124adbc44ccc6e6e3cfdd03ce8f24fd6f22a98d57e2db1af73e5d1c91f387ec4b39cd9cd938aac9c8806ebbb58b6d55a5b678c968480076612f1931798da8db38b
-
Filesize
1.5MB
MD595cb7fc472c82615a08707adce3f77bc
SHA1b753a4b0219496a6b7d04e308019aba230e05297
SHA2567967a2edc99dff8eb0e80ac27ff5ae78ecd7796ef5207c7a7f45771dfa1fadfa
SHA51263a4b6b1d202e57fe6569e15ba585694faa3d96f580ae0f5a922a4458760b2b03b44f95c32e96fcbad5ec914e913f2732d46d66b9400c53ad10c01e66eb40a66
-
Filesize
1.3MB
MD5e084db014a7082c346cd83d238e69e61
SHA12bb0ec6006ac48a79397f5789b00e5a8b76201ef
SHA256df43bcc506369ac5d4f53f698ebc80a1aee41d4e45631bab0c5104df27216905
SHA512995d447f35035a538d774d5c8327f584d77bf3c1fec6c5bcca28f532ddba03d6819e38c05989e8a6024a3bf5fcefebbc668326e74589cf6f14ea8591d0e38795
-
Filesize
1.4MB
MD51fe25a0ed28c1d58ce4a80a140c2c9be
SHA16d8ef2337bcc7be93e9f44f53b80f123fd098aaa
SHA2564d148d8ac6e4f49e01e0a4332415ad48c400571bd660a2d1fdc249344c37299d
SHA5125034525f527c2dc61065fa465a2fe78e7499c6a0274f5a09ecf76ab5ca62164212757b5ea856bcbf03a7e219a18b29253b1ee796ace8f0c3cec8d53b7b820cbf
-
Filesize
1.8MB
MD571f9582f000c284af4d6d47782df66e8
SHA19441cba29116da3c267bd6cd06259a7406ed3f98
SHA2562d812db2a6357ab8a98532ba79244976824ae3d4f2568abf3c3a3cde24c489df
SHA512c3d5d5b5079e1c24cbb5912018dcb2afa2fc1afb6fb92840ac1af158631e9c3cbf792de5662c9e51d06ce64212ddcb1b9e88ad4c04407d69f93094675f68fb01
-
Filesize
1.4MB
MD52291134bc7137c6d4932c2b310dc4a2d
SHA1c0fe6df71dc2ec8cc3439afc84348a3359d9319a
SHA256edbbcf8a6064fd6873de23aca6de0cb30ef6c28c7c4cd1888fec579b092e6879
SHA512a639c92101068260aa11df1359d6197d69a12d0e951c349671a8b4a048895391fc83761a0132a2181aa9a5a0dca96cb1fb98a2c10fc335fddbab1ab8fe998d7d
-
Filesize
1.5MB
MD5aa5af2251305ccdce588a3fd63093df4
SHA1d470a90dccb94c1dfdfa6f64563c1442a890576f
SHA256a5b90ac3edd35f96e70f09511eef73aad563ccda2a9a6fc246a38ae8c7ac0d69
SHA5125de7e90da5eda064a0120af85ad45d4375036b24b294d282515f54b29ae3af7036118f96f328b476d16d1af183e12c294a844359e2b1783782f57efa8fb9174a
-
Filesize
2.0MB
MD5968f5e46afb0ba846566e3ef3a5f7dee
SHA1db9e124aff9379f372c9fe75442e840951d8c6fc
SHA256f8316b84738432519393f1272d8e94b6277759b3a61656175294685ad3c44e68
SHA51235776e18c6d2e14230d7adc37ec54094976bdc3a15028a6d2bc2ac81927c31d782d277899378163925b2e3577e4dbbf80c7c8dd5eeec7c8099e581f2afcf4b13
-
Filesize
1.3MB
MD53b1b1818145ced8dd6990a241cb84646
SHA1dde7e838ce291df1988f032c670844bb84320843
SHA2566d9be782680ac5ec13a1bb6fa6f371371a4b9153acdaac40e0fa4f7f20495e63
SHA51217d68939af5644e21cac6da1c58b98491ce400757b9c54e1aa411fed65cde432a821ac62918df412a102d47e0c3ee9012ab59033e626d2363555b942e3f8d8c0
-
Filesize
1.3MB
MD5fdb9446928c3410c2d211692593656dd
SHA1820bacaaf6248c3c235e82148a3b62a093a09692
SHA2563ce939b61a1de1b0b9528b6a7d88d551868047e5937d2274886ca21ebcaeba1c
SHA512c83a95d3774d6f568a8a97e8383dd17fdcbba5deb8fd43ad864f95c8710b2007a8834333e858165e9f9b07fc2cd17abf25a785e61fb112dd1b632a5cb36d205d
-
Filesize
1.2MB
MD56b4b1161ea49e320a84b1046c1968a1c
SHA1014c9b2f307044237f708c13cd06a3080122305a
SHA256d787aef2288dd83e14d2265d22f49c5db430602648d02783f1c5d6022ffe22fa
SHA51233b685f2b8266ac93ada3afd96aa6dec668e410ce68cf090bcf98ab17965a5edab57c2c216406b3e4b5f0e237257b33a4856043690485732d3618a607bd009f2
-
Filesize
1.3MB
MD5861e56bfec1c4cedfe406c8a4dc5d428
SHA1f2742b896e9cee9af505b9294cec5b8a1092da83
SHA25631869c890005ccbc9f9280b6f5b95ee89544224552de17a1af8cc5d0e6945352
SHA5122a37f6018e6456c3195ba6d74cfca977d7a482772f348c8704e2c1b05c9b356ebfc62e7bdae063bc5e3736cbd65393a9b97d137ec291891ca05b38d69906a9d0
-
Filesize
1.4MB
MD531c5987d133d1ac3e3d84f689546e63e
SHA10e9477c06d537951ae4cceee48983e0adf40d451
SHA25622463770bfd187c3649cba9552808c917680e683eeb05034512b9ed5fc3a590c
SHA512c98bb511e1c434a80af17b7626e3235fd3a19251c007cc8d33424cb47e77e6f3bbb884d009e5487eacab31d83ac609f6d22e30d5e56ea93c3a199b896bfeb1e3
-
Filesize
2.1MB
MD500e93f5cca86273f9205d6e41b026112
SHA1532a595708b8c33f97d651f919d93b2c2bede8d5
SHA2564ad8c71e681c4fb7b927b560a18b6153845b3ba3a08747ce64da8b41970b7b2b
SHA51208cca9d9dba3e53b1d9443a76e5d37a4a06c50e9524d309616aaeccafacab65443f2eb08cdcd085ce85a3b954a9bde1c8e9a83204b05e74c14c107524209e389