Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
292s -
max time network
300s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2024, 01:51
Static task
static1
Behavioral task
behavioral1
Sample
02102024_0151_x.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
02102024_0151_x.exe
Resource
win10v2004-20240802-en
General
-
Target
02102024_0151_x.exe
-
Size
1.1MB
-
MD5
4ddb14680584c0546ccbc70b8d0411c4
-
SHA1
1ff45158480cc901c99079f02b82d4a40163be7a
-
SHA256
1d8968fc899fd0ccb7737c1019808f034eb86e7c55359681f7e51cf1982ba07e
-
SHA512
18542630cb735f45b0cf8bf9f7b64bcb6110dc21e94e83bd25007afc6a2677660ba46ff2c83c0c040c4bf8fb3d22f30089dee655822313f6d72b1f75fb8d2d4d
-
SSDEEP
24576:cBMP2iSAAicPschqrDG3oxxRa/hoKg97y4zuaRacKHT:cOP+wm3Aihg9XzuaRe
Malware Config
Extracted
Protocol: smtp- Host:
s82.gocheapweb.com - Port:
587 - Username:
[email protected] - Password:
london@1759
Extracted
agenttesla
Protocol: smtp- Host:
s82.gocheapweb.com - Port:
587 - Username:
[email protected] - Password:
london@1759 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 61 IoCs
resource yara_rule behavioral2/memory/4148-2-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-7-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-21-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-41-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-20-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-40-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-19-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-17-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-16-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-32-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-30-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-15-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-14-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-25-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-24-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-13-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-23-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-12-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-11-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-18-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-10-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-8-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-9-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-43-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-65-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-64-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-63-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-62-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-61-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-60-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-58-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-59-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-57-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-56-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-55-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-54-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-53-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-51-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-50-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-49-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-48-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-46-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-45-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-44-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-42-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-39-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-38-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-37-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-36-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-35-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-34-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-33-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-66-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-31-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-29-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-28-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-27-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-52-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-26-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-47-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 behavioral2/memory/4148-22-0x0000000002C90000-0x0000000003C90000-memory.dmp modiloader_stage2 -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4048 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation lxsyrsiW.pif Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation server_BTC.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk server_BTC.exe -
Executes dropped EXE 35 IoCs
pid Process 3248 alpha.pif 2024 alpha.pif 1864 alpha.pif 2280 xpha.pif 1452 per.exe 2924 pha.pif 3804 alpha.pif 740 alpha.pif 3820 alpha.pif 2352 lxsyrsiW.pif 4256 alg.exe 1772 DiagnosticsHub.StandardCollector.Service.exe 4520 neworigin.exe 1964 server_BTC.exe 764 elevation_service.exe 5072 fxssvc.exe 3856 elevation_service.exe 1948 maintenanceservice.exe 1320 OSE.EXE 4464 TrojanAIbot.exe 3932 msdtc.exe 3140 PerceptionSimulationService.exe 4960 perfhost.exe 1756 locator.exe 2008 SensorDataService.exe 4504 snmptrap.exe 1392 spectrum.exe 4800 ssh-agent.exe 1812 TieringEngineService.exe 4260 AgentService.exe 3116 vds.exe 2852 vssvc.exe 1576 wbengine.exe 716 WmiApSrv.exe 2912 SearchIndexer.exe -
Loads dropped DLL 1 IoCs
pid Process 1452 per.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wisrysxl = "C:\\Users\\Public\\Wisrysxl.url" 02102024_0151_x.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 16 drive.google.com 19 drive.google.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 60 api.ipify.org 62 api.ipify.org -
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe lxsyrsiW.pif File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe lxsyrsiW.pif File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6ddf9c16b36a5b05.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe lxsyrsiW.pif File opened for modification C:\Windows\system32\dllhost.exe lxsyrsiW.pif File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe lxsyrsiW.pif File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4148 set thread context of 2352 4148 02102024_0151_x.exe 107 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7z.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server_BTC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TrojanAIbot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02102024_0151_x.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxsyrsiW.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language neworigin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1400 esentutl.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2736 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc0f48356e14db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000151eb8356e14db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004bfb53356e14db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf9770356e14db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6005 = "Shortcut to MS-DOS Program" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a646a0356e14db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000062099356e14db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ff12c366e14db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a646a0356e14db01 SearchProtocolHost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4144 schtasks.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4464 TrojanAIbot.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2924 pha.pif 2924 pha.pif 4520 neworigin.exe 4520 neworigin.exe 4048 powershell.exe 4048 powershell.exe 1772 DiagnosticsHub.StandardCollector.Service.exe 1772 DiagnosticsHub.StandardCollector.Service.exe 1772 DiagnosticsHub.StandardCollector.Service.exe 1772 DiagnosticsHub.StandardCollector.Service.exe 1772 DiagnosticsHub.StandardCollector.Service.exe 1772 DiagnosticsHub.StandardCollector.Service.exe 764 elevation_service.exe 764 elevation_service.exe 764 elevation_service.exe 764 elevation_service.exe 764 elevation_service.exe 764 elevation_service.exe 764 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 2924 pha.pif Token: SeTakeOwnershipPrivilege 2352 lxsyrsiW.pif Token: SeAuditPrivilege 5072 fxssvc.exe Token: SeDebugPrivilege 4520 neworigin.exe Token: SeDebugPrivilege 1964 server_BTC.exe Token: SeDebugPrivilege 4048 powershell.exe Token: SeDebugPrivilege 4464 TrojanAIbot.exe Token: SeDebugPrivilege 4256 alg.exe Token: SeDebugPrivilege 4256 alg.exe Token: SeDebugPrivilege 4256 alg.exe Token: SeDebugPrivilege 1772 DiagnosticsHub.StandardCollector.Service.exe Token: SeTakeOwnershipPrivilege 764 elevation_service.exe Token: SeRestorePrivilege 1812 TieringEngineService.exe Token: SeManageVolumePrivilege 1812 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4260 AgentService.exe Token: SeBackupPrivilege 2852 vssvc.exe Token: SeRestorePrivilege 2852 vssvc.exe Token: SeAuditPrivilege 2852 vssvc.exe Token: SeBackupPrivilege 1576 wbengine.exe Token: SeRestorePrivilege 1576 wbengine.exe Token: SeSecurityPrivilege 1576 wbengine.exe Token: 33 2912 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2912 SearchIndexer.exe Token: SeDebugPrivilege 764 elevation_service.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4520 neworigin.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4148 wrote to memory of 4336 4148 02102024_0151_x.exe 82 PID 4148 wrote to memory of 4336 4148 02102024_0151_x.exe 82 PID 4148 wrote to memory of 4336 4148 02102024_0151_x.exe 82 PID 4336 wrote to memory of 4728 4336 cmd.exe 85 PID 4336 wrote to memory of 4728 4336 cmd.exe 85 PID 4336 wrote to memory of 4728 4336 cmd.exe 85 PID 4336 wrote to memory of 1400 4336 cmd.exe 87 PID 4336 wrote to memory of 1400 4336 cmd.exe 87 PID 4336 wrote to memory of 1400 4336 cmd.exe 87 PID 4336 wrote to memory of 3248 4336 cmd.exe 88 PID 4336 wrote to memory of 3248 4336 cmd.exe 88 PID 4336 wrote to memory of 3248 4336 cmd.exe 88 PID 4336 wrote to memory of 2024 4336 cmd.exe 89 PID 4336 wrote to memory of 2024 4336 cmd.exe 89 PID 4336 wrote to memory of 2024 4336 cmd.exe 89 PID 4336 wrote to memory of 1864 4336 cmd.exe 90 PID 4336 wrote to memory of 1864 4336 cmd.exe 90 PID 4336 wrote to memory of 1864 4336 cmd.exe 90 PID 1864 wrote to memory of 2280 1864 alpha.pif 91 PID 1864 wrote to memory of 2280 1864 alpha.pif 91 PID 1864 wrote to memory of 2280 1864 alpha.pif 91 PID 4336 wrote to memory of 1452 4336 cmd.exe 98 PID 4336 wrote to memory of 1452 4336 cmd.exe 98 PID 1452 wrote to memory of 4828 1452 per.exe 99 PID 1452 wrote to memory of 4828 1452 per.exe 99 PID 1452 wrote to memory of 2924 1452 per.exe 101 PID 1452 wrote to memory of 2924 1452 per.exe 101 PID 4336 wrote to memory of 3804 4336 cmd.exe 102 PID 4336 wrote to memory of 3804 4336 cmd.exe 102 PID 4336 wrote to memory of 3804 4336 cmd.exe 102 PID 4336 wrote to memory of 740 4336 cmd.exe 104 PID 4336 wrote to memory of 740 4336 cmd.exe 104 PID 4336 wrote to memory of 740 4336 cmd.exe 104 PID 4336 wrote to memory of 3820 4336 cmd.exe 105 PID 4336 wrote to memory of 3820 4336 cmd.exe 105 PID 4336 wrote to memory of 3820 4336 cmd.exe 105 PID 4148 wrote to memory of 1996 4148 02102024_0151_x.exe 106 PID 4148 wrote to memory of 1996 4148 02102024_0151_x.exe 106 PID 4148 wrote to memory of 1996 4148 02102024_0151_x.exe 106 PID 4148 wrote to memory of 2352 4148 02102024_0151_x.exe 107 PID 4148 wrote to memory of 2352 4148 02102024_0151_x.exe 107 PID 4148 wrote to memory of 2352 4148 02102024_0151_x.exe 107 PID 4148 wrote to memory of 2352 4148 02102024_0151_x.exe 107 PID 4148 wrote to memory of 2352 4148 02102024_0151_x.exe 107 PID 2352 wrote to memory of 4520 2352 lxsyrsiW.pif 112 PID 2352 wrote to memory of 4520 2352 lxsyrsiW.pif 112 PID 2352 wrote to memory of 4520 2352 lxsyrsiW.pif 112 PID 2352 wrote to memory of 1964 2352 lxsyrsiW.pif 113 PID 2352 wrote to memory of 1964 2352 lxsyrsiW.pif 113 PID 2352 wrote to memory of 1964 2352 lxsyrsiW.pif 113 PID 1964 wrote to memory of 4048 1964 server_BTC.exe 119 PID 1964 wrote to memory of 4048 1964 server_BTC.exe 119 PID 1964 wrote to memory of 4048 1964 server_BTC.exe 119 PID 1964 wrote to memory of 4144 1964 server_BTC.exe 120 PID 1964 wrote to memory of 4144 1964 server_BTC.exe 120 PID 1964 wrote to memory of 4144 1964 server_BTC.exe 120 PID 1964 wrote to memory of 4464 1964 server_BTC.exe 123 PID 1964 wrote to memory of 4464 1964 server_BTC.exe 123 PID 1964 wrote to memory of 4464 1964 server_BTC.exe 123 PID 1964 wrote to memory of 4524 1964 server_BTC.exe 124 PID 1964 wrote to memory of 4524 1964 server_BTC.exe 124 PID 1964 wrote to memory of 4524 1964 server_BTC.exe 124 PID 4524 wrote to memory of 2736 4524 cmd.exe 126 PID 4524 wrote to memory of 2736 4524 cmd.exe 126 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\02102024_0151_x.exe"C:\Users\Admin\AppData\Local\Temp\02102024_0151_x.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\esentutl.exeC:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o3⤵PID:4728
-
-
C:\Windows\SysWOW64\esentutl.exeC:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1400
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3248
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2024
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 103⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Public\xpha.pifC:\\Users\\Public\\xpha.pif 127.0.0.1 -n 104⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2280
-
-
-
C:\Windows \SysWOW64\per.exe"C:\\Windows \\SysWOW64\\per.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SYSTEM32\esentutl.exeesentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o4⤵PID:4828
-
-
C:\Users\Public\pha.pifC:\\Users\\Public\\pha.pif -WindowStyle hidden -Command Add-MpPreference -ExclusionExtension '.exe','bat','.pif'4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3804
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW643⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:740
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3820
-
-
-
C:\Windows\SysWOW64\esentutl.exeC:\\Windows\\System32\\esentutl.exe /y C:\Users\Admin\AppData\Local\Temp\02102024_0151_x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o2⤵PID:1996
-
-
C:\Users\Public\Libraries\lxsyrsiW.pifC:\Users\Public\Libraries\lxsyrsiW.pif2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\neworigin.exe"C:\Users\Admin\AppData\Local\Temp\neworigin.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4520
-
-
C:\Users\Admin\AppData\Local\Temp\server_BTC.exe"C:\Users\Admin\AppData\Local\Temp\server_BTC.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 01:58 /du 23:59 /sc daily /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4144
-
-
C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe"C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp947B.tmp.cmd""4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\timeout.exetimeout 65⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2736
-
-
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4256
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4580
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5072
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3856
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1948
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1320
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3932
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3140
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4960
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1756
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2008
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4504
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1392
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4800
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3612
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3116
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:716
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2912 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1860
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:1556
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD585c552e6134ac660f74282b9b81b1835
SHA1b15dba302675a47cdae5f577ae15025a124e8dc3
SHA256190669d3db8021c909d940b9b6bfd1ff444d9e851f112fcfa98a0aecb6dfa5c2
SHA512a19efe4998c23dd307db021f2c7f684bb6794f382ace232e16d6e6c2ee4f67c08c499109469433a432b3c7434232b21880dfb986573dfc0dd26de57897cf1a41
-
Filesize
1.3MB
MD53551aa034be2ec4c2b9bb53df6715de6
SHA1745efd060fb81503ca1da9593421d82379c169d1
SHA256c101bff1b8029450177b8417374a04359da543b1c7d7698d914607e0439e8cf1
SHA512ccb471eb936319bc627d46d0936b568753a3c3d35beb9d241639436ba708dbaba9822cd29cead8a378a4f17f2d97aab81b92996e79239e6f914ec08d167e96f6
-
Filesize
1.6MB
MD5a51fcb0832c856f9b17d88ab6995604f
SHA126ac2b2a2986eee2df7687755a6da3e7901c19d9
SHA2560b3566bdce00d8642e74ac587d0b37177b1aa330836c3667e283d031aa33c463
SHA5126abe1acd7744bdb4945fb063edbcde58820a424b1beed531175bc1dc42ca7a6bf090fb633449db1a3cece8832428be19265cbeb63e550ffadb79fb9b44a62055
-
Filesize
1.5MB
MD57792f2182dfbe379040a74523d05d2d5
SHA15a24cb4b2ed4176dfb72ed5ff6d24480bcf5d81c
SHA25608829a36faf3821f80615653dea42120651b931ed872c99e4fa3d1602291cabc
SHA51297cecf10ebf9267c229cc5bda91230b72c0301c17bc3a7e8565c30f0b4b8471a9be397aa5358f84c2131b67adcf189527578b981e8a893ebc2041a13f0aa99bb
-
Filesize
1.2MB
MD505571cc355a6a0b0e303591f1bcfacc8
SHA15e2f1d5ee30eec8c27d4d67d9c955a07f37fe31b
SHA2560fcf610c5e347224aec61dd623f2998bd45f29a6f0d3aebb49269c1eb92b3929
SHA51273cea4da1a076c8ce3df0b14703022f2309b07c9315124e3c4445d705652fd2b789b7360edc766ce8fe87b38d204d887b2910140262838f9bf8c111742d5d6a9
-
Filesize
1.1MB
MD5e054c41e097e58213a9744dbca739900
SHA10832582ef83e5d3233bbedd0d1f549ad00ffb945
SHA25637917b16fecd2ef89c8d1f20fa5a0128aaef2c33a4a1c2128f1bb427a88e2f5a
SHA512253adad41d8ae88317d37f246a5aa0dd745cedf28d4fedfc012097c215ce485caf3275b7311ef46ce1075a1122f34c2d6e30ef4ff9c75c31b159824285b102c8
-
Filesize
1.3MB
MD54343d5d0febd1179ebcc0bd948ba75fd
SHA15c0a23b5d28c53c227128e5964479c7b7e1aabd3
SHA256bc5290a6f9e5ffaf4ff585520148c32dbe3ec13f7aaead68a556ce2c2522e97e
SHA512b8c2d06779355e05768664fc905669ebffc8552a4d4409b13263020c455f9bb90afec982806a14e7b7b4071b6fb802376d0fac2e0217bb6586836d2cb298e3cb
-
Filesize
4.6MB
MD5c58021b7448ba4cc4af1bff7e7b2fb32
SHA16264b8f1fef07c1e2d6e332316f8986bb0956065
SHA256900da5abb9b04e9c75b65bf988e0a665089a90ff98f0fde0e1909ed26bbc8358
SHA512302a79a7bd588c1afcfed243b6708a23d180442905222a601e0a9630ce093ad9cb3d7dc5dae0b83fbc93f1347252f7a9ff7ba6640765d12fb74b1ae5c90a90a9
-
Filesize
1.4MB
MD57dacaf5f5ffe70c6b4e0f014b335a4a0
SHA1f47d77f601c634c4e254176e4095af02b2e454d5
SHA2568f88b923cde5d070a1eda4c68c73383019c3f980b2b215e5d672d090d7c305c3
SHA512a1eb49e6130812d6a5cbd20b841516272f564c34e93f52dcaa67735490bf1b4169c4d3141063d4eb0183a68ea93c412b82f3a46c32fcd78e0f1900f10bf2c99b
-
Filesize
24.0MB
MD543cf001b282ac691f3e518605b88a163
SHA1106ab477e7806d33cbcbffd5d7d821956751aca0
SHA25654042dec44d4a5aeb2f2174c162a6d84daffd8ddc086681cbef3f0faf48fdb52
SHA512a723f98349cbe766b9f01ff4d52038684fdea9b7f5e28242395c83f56bc7724fedd9302b523ddb13e7b2d31bca6e9e0d25e0fff4301c38c193d48219af9b0d56
-
Filesize
2.7MB
MD5653f095c92b929698a992467c64b6491
SHA1aebd3d7e49ff8ce2b8037ca5639de29d528baa52
SHA256b48fedf91fec45beb1b10989d3001a0b007f4617e1a5aba56e2a8a9d56c79636
SHA512e02ce69bbc65aa7bcc4073c2191b5e7d1abef654233ebcc80182212541fd9067811b59d33a97f6756d84e4932512f5b90a15f88c4b0e5b2b09f2cdf3cca7938b
-
Filesize
1.1MB
MD560235a48c8a329ff5fa1fdf29c0ab463
SHA15c0df9c09f1c6cd68ee8db4cc71b7736f1235d40
SHA256795fd32b0d3d6d0f88e69ff9ba212bc4e878c96654f10d8aa35675c9ae918a25
SHA512f7343e4ce2192240d9d399cb930991f79711ede65bfada8e94b4e6a1406a6557b38e12f7bafa1fb7518a258c786907d46e5d542b169d0cefbd53c619fa40a469
-
Filesize
1.3MB
MD5ccc8d133111fb81e82e5f50d420de43d
SHA1bb01a68bacf862efcb102724d4767056e77579c8
SHA256c3b346cb5ca4d93ef1996b80a86d08577fe9806ee9f151916a4751cbcb01c047
SHA512b455fbf36528e27ecaf09d3999d0930945db0b3e76b0647309015891cad979f85d0b127ebc03a2aa70d68f25a31a2407e5a11e601d6b61c35b2a681f0fded5bf
-
Filesize
1.2MB
MD59aaa58ee4f6d05a5d76db6d1f73997ca
SHA19a8bc4c56ac6133b4d5134a35062cf0e62bb99d0
SHA256ea46418d219babd75a81b36c0fe9a12ace8912ef3b262cf7f2dc7ef5b2c5fb61
SHA512f7f6191e52e05aa87abdf27881d2a765b9fa6167e3d9e9c008b69b0ed6d16e83e35f8d9015f1bbce801636d14086a32130496ca068333ea24802adfc5c2ae1d1
-
Filesize
4.6MB
MD547baa05b9610c22cd59bb35fb3724cbc
SHA1f7cc46d8951b417920236f29eee464a8c9ed95cf
SHA256fe144ae4db676a4be27c48b9aec26648a763fa163ee1c0ec6e1a0bf3304ca99a
SHA512d2f9bf1f431998c96dd6e65ac3d565296ab4a8747a50731cd470cab5b45b3394513ce9dce1ba846a3006a9a10344e156a3188976cf3b5b437e221b791eceeb25
-
Filesize
4.6MB
MD5237f642192862e4e1d140bb594218169
SHA1bc0f81c793180429750b2005d8ae7f80d41be0eb
SHA2561b38a08391617c2af32928f65e55e2ad72d06804e4d50d5c583c1168dd6ae0af
SHA512c6e4f05d304d825cc93ac971e0be74e93508d82ab08daf78439fee33657234acd428d6d3d33edd544fe56bcd440313fbd26043590fb263dc903a1d75126540b5
-
Filesize
1.9MB
MD539f472ee285c0a09d6c7e737ab04dd2d
SHA15040764ee62b829ee2467e317d44f1c3e051ad8a
SHA256e69aec4a173be7d3436f8f639b84391ded4eae1478b00cd843d78dc288ae80c2
SHA5120868ee5f3a80340643d0396338ce8c8a59e032084ea9d0b0ab28b51f8b58621628a71ea59289ff6572e18e40a524a9c69ec6dfa958e5200ac5e22bb60742d313
-
Filesize
2.1MB
MD54c6323a18983b0e40a1edaf646eae5a7
SHA16b3f3147700c97220d74ffad788a104abdf244d6
SHA256d71257322ec994b56beea78d63b844ad701643fa1b33eb818e1b1729df96953e
SHA5120ddb77ff27a70fc97c5d4f67460ea44e89554a81a42ea47f078155c1b748bb909f1dd3595da14c87e98651e93cfae1e08fbdad950dd73d3c9b7432bb8a68fd9a
-
Filesize
1.8MB
MD5d61f479a95da17e1f411b20ffab6a6a5
SHA1433ca69ccd90dc38e3afe6416224c1438c8c0939
SHA256cc7432da0eaba02368d3d72fb875c76cd20b727cb6c53c5d9715780ec8f166fe
SHA5121e9d564220f38335f92642b99e45cbae9eae635f2733b33b0ad0c70b77f0ad45f43356299875ed6ccae16e24b91333ffeeaaf78bf5b7e9685d068da871590575
-
Filesize
1.6MB
MD5c0e46ed286a7f60ded329bba043959f6
SHA1f4f7f82f0956a227a890ea64721ccc45d12f20ac
SHA256a5ffb0b1fe5670c49eb26300a6e6808697bb6ef766bd0f6a062054b4d43f52de
SHA5122475216ff18af464a9b316e59e62e925059b17b2cfe170c939ac6737755cea8748f0dfcc9b118200be89ff0cafde749c7a6a2aa8169ec6147bc60b79ef4b3825
-
Filesize
1.1MB
MD53dae7f9dafe58d997fd8a824cd677c29
SHA179f26c204f722573eccecb48f1aae6a4a39b6a18
SHA256ce0d53d9696d540587611bfff419ba588c2b9bc0e6cd44807c7d3d10bf133290
SHA512bb77f16942c65ea2e47329f8f666e4956e697227f1802a5c5ed4aca29fd8811959be5cb10e7f049d32c88fbaf4da57b37133747e2639c59b013b3b7de072192a
-
Filesize
1.1MB
MD59addcc78a5bf445a4250c555c559a63b
SHA19f30cdf1a2fb139afa22322da31a699314d7c000
SHA256522bd2fdcf72c8f1fdbb634803bfb6d58898ebd84ceda5b5b5caeb0a0965a960
SHA5122aa0d54b9a11298ebad8ed374ea9a27b671c21c200628cb7afc41ed82b817d01e8ae692467acf04d124b7ce5ef0dee122c94ce968ca647e9fecae8b8e379047f
-
Filesize
1.1MB
MD5a73477ba2fb004271229e8804a82966b
SHA1d82f6ec68861478e6ebd151db5cad10a2d1ad18c
SHA25638744676d50cea34fdaa2a2aa8055fc0b385452ed8fb680f8df4680029b9c8a3
SHA512d473dce046b2ae2c39f345ff4d7eaed0777cd2fd5453ae108e85387c332f2c944e73a653ee4064f2d59f117f780b55fffe56d80f7e05f0eac9d36e854fc9fcae
-
Filesize
1.1MB
MD59e06bc56e7c5b49b91f2986291d34227
SHA17c8d05bca599132eafb7471f2f9422d4301ee759
SHA256ec734ae0baac08c6d6a7861e0a06551476189b462d2933af978447cc6c9f577c
SHA51205b18fb5b5254c9b781c5213ee249550b6e05f9aeaf72583c5bdd3bf4a4823335f6f1b7fb6d8fa1186061726d9f9ef6f5b7af807efadbb3e79df81ee634ccb6d
-
Filesize
1.1MB
MD56e963d4031cf78472696281456ebc7aa
SHA1b25f095d3136bc5bfc7d8362051da5e853c27f05
SHA256f47f9e372ca07321590e267c1f6f53af3208f0faabcbc2fffc7e34d4d720d35a
SHA512f1eabd7dcae8ef80369e439f2c960ba3943f0c972c1895bd329c59d92b006a0c8317c47d4841d84f8957e9bd85554300767914b8f02840294f02db272fe85627
-
Filesize
1.1MB
MD50bb872d77adb1bcf73645a3fa0a83fb1
SHA14b9b66987e60207b15160a658f782c57d4ebe46c
SHA256308ffacd6b42bcd6ef48dd875e177e0805bf674ed1fd122a0bfb869afc5081ec
SHA51211bd965b7221ed99846b32d5c161810b4a9d4cb4685abf7992825fdb5537416d18e1b41e928580b9af165998d504d2c75bdb2222d08f8249b2d9b92a5f49a1cf
-
Filesize
1.1MB
MD575d6914c38d212635b0b16f121fdf92d
SHA170f039d95f144b4a5e894f9438542e4584007ff1
SHA256c94eed6d381fdc4b683fd959e25d08604136ba50b14ffed30b712db198abdf07
SHA512065a263bfebb3c4b306785620e16da78b897d61ef234a730830b207ced3381ec8c63dbcdde46ba5909c89af76e725da83fa9ab952aad52f45060b448b40ac292
-
Filesize
1.3MB
MD5eda3db1ac382d0a2617dcc6978fcc4ab
SHA1ea177f78f982895c2037d7a7f1d6f8ad3e71b14c
SHA25654873dff8c50540ab933390e875c8e31056288060404703bcbac2b74e3751d68
SHA5127bba3b7ab639871f7c0250c56b37c338b96cade195963078b033d54f681c6d2e78f8e12f72b496f1408376ca278692d1d53e4c01e4300be96aad13404fa459cc
-
Filesize
1.1MB
MD5848f16ef244e5e163915361e96935ecb
SHA13664519bef9d4788076796cd461e75f1b9dc5a67
SHA256d4262a6035270551aca0999d1693b2d6a3985602349dee3c2baa802ccf634190
SHA512ab273e243131892b4e8b2a589d9ba6543f4c4b1d4064d21829bd06c0310c56fad88b1f3ad59588ed3a6b45c7b562fc2c014e555fabb2d7caba51aec40235d4d4
-
Filesize
1.1MB
MD5a2aa09d1d267e1b14e7c0faa53423434
SHA1f3c37c138d7591d5ea49406e5f3f91146fb2b301
SHA2567fa28e036eba5ea16a22b43333dd229c75723f0609db9f7eeaa73f5519c5b786
SHA512352dc549f82fd67db986b6670866b82856f887921d34cd16baea0e2bbbe7b2549eb84bdd2f68a1075066d6a628185fa297ecb4617ec607b450412e89afc88024
-
Filesize
1.2MB
MD513c5a2d55e744e0a002a4570e4cd5dbc
SHA14e2231bc80a757210f947a09eff569c1572eaa72
SHA256fe293007a34ca11d4e9170c1aca1e0976b8cec343b2febd8178f7d6f3566d859
SHA5122e0ff487c57dcb88b16e532f8d357f06cb77d425abcc96b495ed3c9b610792d7bb7e946bf55fe1261e56193e2398c54e82214e2bf1aa0511254ed197e8861f8b
-
Filesize
1.1MB
MD579e96f9cd2c039fd0dbc4bb2493ae86d
SHA161503a7df94510eb780fbe1c75e0584a5ccd0939
SHA256782914635d06939ef39a398bc0245c3d0e432fa90987c7e60f24873221f8e994
SHA512dfd53dc85a67f5a5871abb61ddb794e11b04e3b54d221860ecebfeb34dcd8c124800a000f94191db51fc81bfc866f133df668ac8988eaeaef90f9e609792adf6
-
Filesize
1.1MB
MD54e5af88b95a4b121200f451c955c2017
SHA1fe88f944424fccafd19ce6318e100592c1b959f6
SHA25640604113c28b8c2fc804b5920a3730c0f8dc980fd239af23ac0fcd178c1afffa
SHA512c971e0eeb304826ccc413b4aad1afbeedf770111f7f2b1a2fd2ff3e5af285faeb4710124f92fcfb70f11c3c467666da19efa986eb8d1b477abb5b10367648b6f
-
Filesize
1.2MB
MD5ea26e92bb3ea236f05220d28274a063f
SHA1e5a3b1b4d4d23dcff42ed390191b2452cdfbc6ea
SHA256ba239643cf2a3daffbc1f9b2f331c75f5c39d6f4594f2ea70d3725274e11895b
SHA51263caa34f55367b711ed6dd436974b4fb01575314169687a19eee03b28084bafa8052fb3d9cef7f5c514989c33db3a57cb667ea2e209ccf8840a6cfb301b9d25a
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
244KB
MD5d6a4cf0966d24c1ea836ba9a899751e5
SHA1392d68c000137b8039155df6bb331d643909e7e7
SHA256dc441006cb45c2cfac6c521f6cd4c16860615d21081563bd9e368de6f7e8ab6b
SHA5129fa7aa65b4a0414596d8fd3e7d75a09740a5a6c3db8262f00cb66cd4c8b43d17658c42179422ae0127913deb854db7ed02621d0eeb8ddff1fac221a8e0d1ca35
-
Filesize
226KB
MD550d015016f20da0905fd5b37d7834823
SHA16c39c84acf3616a12ae179715a3369c4e3543541
SHA25636fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5
SHA51255f639006a137732b2fa0527cd1be24b58f5df387ce6aa6b8dd47d1419566f87c95fc1a6b99383e8bd0bcba06cc39ad7b32556496e46d7220c6a7b6d8390f7fc
-
Filesize
162B
MD546a9b91d4642f859b92f0bcf44694914
SHA12595ac725ce423fcfa8763c9becab2ca21f82c13
SHA2563483cf7ecb7e07188b246756674a5d0e7196275ed248654235a43be1f6b45259
SHA512e74729681ef723b8509b055e469b1b91428162c4344670e2339b3e5edaab09c4c4b90a5a944e67eadc6527187f5eb939119d2acc5e3a756479e0e48772e1ef0f
-
Filesize
60KB
MD5b87f096cbc25570329e2bb59fee57580
SHA1d281d1bf37b4fb46f90973afc65eece3908532b2
SHA256d08ccc9b1e3acc205fe754bad8416964e9711815e9ceed5e6af73d8e9035ec9e
SHA51272901adde38f50cf6d74743c0a546c0fea8b1cd4a18449048a0758a7593a176fc33aad1ebfd955775eefc2b30532bcc18e4f2964b3731b668dd87d94405951f7
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
Filesize
231KB
MD5d0fce3afa6aa1d58ce9fa336cc2b675b
SHA14048488de6ba4bfef9edf103755519f1f762668f
SHA2564d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22
SHA51280e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
18KB
MD5b3624dd758ccecf93a1226cef252ca12
SHA1fcf4dad8c4ad101504b1bf47cbbddbac36b558a7
SHA2564aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef
SHA512c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838
-
Filesize
115KB
MD56d23fe871b2064c6d13580a5745f23cb
SHA150e113c0e2269cf7972466a828822803537a8f6e
SHA256c835f2a1234b62ab7684694af378f62770903d07d6fdfbe3a371509e2b4ccc67
SHA5121244be1ab0a9cabc0eb02249d4b083939e3f088ebda4b58dc03c61618fce56f27a3f58cfd74d39fb06010db7515520307766c16815f6700507a0371d03765e1a
-
Filesize
94KB
MD5869640d0a3f838694ab4dfea9e2f544d
SHA1bdc42b280446ba53624ff23f314aadb861566832
SHA2560db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323
SHA5126e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7
-
Filesize
1.2MB
MD5d4485620ccb15d812b43949829b2e57c
SHA1d22e87ad11a1e05e8812f7f864119a19392f1afe
SHA2560d5c1574c54a4fcf0d982628e77fc7bbb16a0fc56ddc7519848e90afe338f6bd
SHA5120e87a3e0aa8fe4d2a3fd97e424bed867a256112ed4a9a5ff37063ba44b59474bb7ce14d18537c6b978b9d6ef4353cbc3647290eac96fd0b4fdf629bb53def3a7
-
Filesize
1.2MB
MD55dc6c7ede982c5f85225300f6b5c58d1
SHA1992d13ea85815ecdc27b2e1f2c149331b3e78355
SHA25639a4449b40ca8e7b04329dd78a69d39ad0983bfdc6e04581dbffee3cc0277b43
SHA51202fbcf39ecc202d0d59c9cc4ec5db4135ec4701307702ba4ea31808d748e896a34784e10f1eca21fb7ab0ca7b756fe8a6308a12eda1243f1c815aab839f3d4a8
-
Filesize
1.2MB
MD54973dd57c54fb08d24788030dd1c2e52
SHA1aa353ab1913590c3190f81323fb3d592d81508a4
SHA25685c2dbdef59f36b59923fe0502adc66fc9e9ab9ab005cade615b97c3bc1618a8
SHA512e351e0a848f8300d179d54ec67d736f23ac418124e146ee373dedb5f9545d9f3a10cdaeb7864df0e0004792296533e1538ace092d70963182f3cbf560d21ab83
-
Filesize
1.3MB
MD5d98e0fad1fcc4e61026ada4d45301ebb
SHA107e35a59829b582371d86cd5ba6950b630f3d6b1
SHA2567433332439d0363c65486e55eb45af50f3428ac5dfc6d5253a24a242ebaa4bdf
SHA512577fa71cd58d50be73b22d75b3c82f68fa6180e64b3b5f6fee93d4b6452ba610c60900900f129d88a7f44960ff96d7d291025fb25f6a14b950f7de82514cd834