Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2024 08:55
Static task
static1
Behavioral task
behavioral1
Sample
Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd
Resource
win10v2004-20241007-en
General
-
Target
Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd
-
Size
3.2MB
-
MD5
5f351f07b94613764a8bc09970bbcd58
-
SHA1
47fcfcac926a0007010b7afb776671d2276b8b81
-
SHA256
2a81c419a9fcd1eb9f778dba6911c366586b0ae9a5cf2cd25155413bfbff9eea
-
SHA512
49ddfcc8f58117ec824e35b1a2bf6928cf580e4337a8f9aa1d7d4dc62a6e93bb811702d0ed2c970f1f0a08b013ffc5ba6dcc6951c6d59f9a0d7915c3b9f3baae
-
SSDEEP
24576:/EldPvpS3bi8Kz95FnA8S21f063u9vsk/ZkSgR+lY1Q7FZU1n9dJCNUeE1Zperr8:/ARo3biB55HSwTBvfbb
Malware Config
Extracted
Protocol: smtp- Host:
s82.gocheapweb.com - Port:
587 - Username:
[email protected] - Password:
london@1759
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 61 IoCs
resource yara_rule behavioral2/memory/644-29-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-34-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-43-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-51-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-63-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-85-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-93-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-92-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-90-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-89-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-87-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-86-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-84-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-83-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-62-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-82-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-80-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-79-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-77-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-74-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-71-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-70-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-69-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-54-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-91-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-66-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-88-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-64-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-65-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-81-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-50-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-61-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-49-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-59-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-76-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-58-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-75-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-73-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-57-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-72-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-56-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-55-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-68-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-67-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-53-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-52-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-60-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-48-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-47-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-46-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-45-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-44-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-42-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-41-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-40-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-39-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-38-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-37-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-36-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-35-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral2/memory/644-33-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 6996 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Trading_AIBot.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation aymtmquJ.pif -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk Trading_AIBot.exe -
Executes dropped EXE 43 IoCs
pid Process 3164 alpha.exe 1152 alpha.exe 636 kn.exe 1148 alpha.exe 3068 kn.exe 644 AnyDesk.PIF 5104 alpha.exe 3812 alpha.exe 1852 alpha.pif 2268 alpha.pif 896 alpha.pif 1884 xpha.pif 1792 per.exe 3876 pha.pif 3812 alpha.pif 4144 alpha.pif 2772 alpha.pif 3228 aymtmquJ.pif 680 alg.exe 636 Native_neworigin.exe 2240 Trading_AIBot.exe 3592 DiagnosticsHub.StandardCollector.Service.exe 976 elevation_service.exe 2076 elevation_service.exe 6420 maintenanceservice.exe 6876 OSE.EXE 6008 apihost.exe 6640 fxssvc.exe 5160 msdtc.exe 5992 PerceptionSimulationService.exe 1824 perfhost.exe 3724 locator.exe 4032 SensorDataService.exe 2212 snmptrap.exe 6268 spectrum.exe 6584 ssh-agent.exe 6560 TieringEngineService.exe 6760 AgentService.exe 6832 vds.exe 1744 vssvc.exe 5648 wbengine.exe 5272 WmiApSrv.exe 5148 SearchIndexer.exe -
Loads dropped DLL 1 IoCs
pid Process 1792 per.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Juqmtmya = "C:\\Users\\Public\\Juqmtmya.url" AnyDesk.PIF -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 49 api.ipify.org 50 api.ipify.org -
Drops file in System32 directory 28 IoCs
description ioc Process File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\vds.exe Native_neworigin.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\ef0c8345cad6a2b9.bin alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe Native_neworigin.exe File opened for modification C:\Windows\system32\AgentService.exe Native_neworigin.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe Native_neworigin.exe File opened for modification C:\Windows\system32\AppVClient.exe aymtmquJ.pif File opened for modification C:\Windows\System32\msdtc.exe Native_neworigin.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe aymtmquJ.pif File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\locator.exe Native_neworigin.exe File opened for modification C:\Windows\System32\alg.exe aymtmquJ.pif File opened for modification C:\Windows\system32\AppVClient.exe Native_neworigin.exe File opened for modification C:\Windows\system32\fxssvc.exe Native_neworigin.exe File opened for modification C:\Windows\SysWow64\perfhost.exe Native_neworigin.exe File opened for modification C:\Windows\system32\spectrum.exe Native_neworigin.exe File opened for modification C:\Windows\system32\wbengine.exe Native_neworigin.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe aymtmquJ.pif File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe Native_neworigin.exe File opened for modification C:\Windows\system32\TieringEngineService.exe Native_neworigin.exe File opened for modification C:\Windows\system32\vssvc.exe Native_neworigin.exe File opened for modification C:\Windows\system32\SearchIndexer.exe Native_neworigin.exe File opened for modification C:\Windows\System32\SensorDataService.exe Native_neworigin.exe File opened for modification C:\Windows\System32\snmptrap.exe Native_neworigin.exe File opened for modification C:\Windows\system32\dllhost.exe Native_neworigin.exe File opened for modification C:\Windows\system32\msiexec.exe Native_neworigin.exe File opened for modification C:\Windows\system32\SgrmBroker.exe Native_neworigin.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 644 set thread context of 3228 644 AnyDesk.PIF 124 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE Native_neworigin.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe Native_neworigin.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe Native_neworigin.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe Native_neworigin.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Native_neworigin.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe Native_neworigin.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe Native_neworigin.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe Native_neworigin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe Native_neworigin.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Native_neworigin.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe Native_neworigin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Native_neworigin.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe Native_neworigin.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe Native_neworigin.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe Native_neworigin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Native_neworigin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Native_neworigin.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Native_neworigin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe Native_neworigin.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe Native_neworigin.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe Native_neworigin.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe Native_neworigin.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Native_neworigin.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe Native_neworigin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Native_neworigin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe Native_neworigin.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe Native_neworigin.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe Native_neworigin.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Native_neworigin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe Native_neworigin.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aymtmquJ.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.PIF Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Native_neworigin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apihost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trading_AIBot.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3648 esentutl.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 7024 schtasks.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 6008 apihost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3876 pha.pif 3876 pha.pif 636 Native_neworigin.exe 636 Native_neworigin.exe 6996 powershell.exe 6996 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 3876 pha.pif Token: SeTakeOwnershipPrivilege 3228 aymtmquJ.pif Token: SeDebugPrivilege 636 Native_neworigin.exe Token: SeDebugPrivilege 2240 Trading_AIBot.exe Token: SeDebugPrivilege 6996 powershell.exe Token: SeDebugPrivilege 6008 apihost.exe Token: SeDebugPrivilege 680 alg.exe Token: SeDebugPrivilege 680 alg.exe Token: SeDebugPrivilege 680 alg.exe Token: SeAuditPrivilege 6640 fxssvc.exe Token: SeRestorePrivilege 6560 TieringEngineService.exe Token: SeManageVolumePrivilege 6560 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 6760 AgentService.exe Token: SeBackupPrivilege 1744 vssvc.exe Token: SeRestorePrivilege 1744 vssvc.exe Token: SeAuditPrivilege 1744 vssvc.exe Token: SeBackupPrivilege 5648 wbengine.exe Token: SeRestorePrivilege 5648 wbengine.exe Token: SeSecurityPrivilege 5648 wbengine.exe Token: 33 5148 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5148 SearchIndexer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 636 Native_neworigin.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 916 wrote to memory of 1084 916 cmd.exe 84 PID 916 wrote to memory of 1084 916 cmd.exe 84 PID 916 wrote to memory of 3164 916 cmd.exe 85 PID 916 wrote to memory of 3164 916 cmd.exe 85 PID 3164 wrote to memory of 2640 3164 alpha.exe 86 PID 3164 wrote to memory of 2640 3164 alpha.exe 86 PID 916 wrote to memory of 1152 916 cmd.exe 87 PID 916 wrote to memory of 1152 916 cmd.exe 87 PID 1152 wrote to memory of 636 1152 alpha.exe 88 PID 1152 wrote to memory of 636 1152 alpha.exe 88 PID 916 wrote to memory of 1148 916 cmd.exe 90 PID 916 wrote to memory of 1148 916 cmd.exe 90 PID 1148 wrote to memory of 3068 1148 alpha.exe 91 PID 1148 wrote to memory of 3068 1148 alpha.exe 91 PID 916 wrote to memory of 644 916 cmd.exe 93 PID 916 wrote to memory of 644 916 cmd.exe 93 PID 916 wrote to memory of 644 916 cmd.exe 93 PID 916 wrote to memory of 5104 916 cmd.exe 94 PID 916 wrote to memory of 5104 916 cmd.exe 94 PID 916 wrote to memory of 3812 916 cmd.exe 95 PID 916 wrote to memory of 3812 916 cmd.exe 95 PID 644 wrote to memory of 3628 644 AnyDesk.PIF 105 PID 644 wrote to memory of 3628 644 AnyDesk.PIF 105 PID 644 wrote to memory of 3628 644 AnyDesk.PIF 105 PID 3628 wrote to memory of 1632 3628 cmd.exe 107 PID 3628 wrote to memory of 1632 3628 cmd.exe 107 PID 3628 wrote to memory of 1632 3628 cmd.exe 107 PID 3628 wrote to memory of 3648 3628 cmd.exe 108 PID 3628 wrote to memory of 3648 3628 cmd.exe 108 PID 3628 wrote to memory of 3648 3628 cmd.exe 108 PID 3628 wrote to memory of 1852 3628 cmd.exe 109 PID 3628 wrote to memory of 1852 3628 cmd.exe 109 PID 3628 wrote to memory of 1852 3628 cmd.exe 109 PID 3628 wrote to memory of 2268 3628 cmd.exe 110 PID 3628 wrote to memory of 2268 3628 cmd.exe 110 PID 3628 wrote to memory of 2268 3628 cmd.exe 110 PID 3628 wrote to memory of 896 3628 cmd.exe 111 PID 3628 wrote to memory of 896 3628 cmd.exe 111 PID 3628 wrote to memory of 896 3628 cmd.exe 111 PID 896 wrote to memory of 1884 896 alpha.pif 112 PID 896 wrote to memory of 1884 896 alpha.pif 112 PID 896 wrote to memory of 1884 896 alpha.pif 112 PID 3628 wrote to memory of 1792 3628 cmd.exe 115 PID 3628 wrote to memory of 1792 3628 cmd.exe 115 PID 1792 wrote to memory of 4944 1792 per.exe 116 PID 1792 wrote to memory of 4944 1792 per.exe 116 PID 1792 wrote to memory of 3876 1792 per.exe 118 PID 1792 wrote to memory of 3876 1792 per.exe 118 PID 3628 wrote to memory of 3812 3628 cmd.exe 120 PID 3628 wrote to memory of 3812 3628 cmd.exe 120 PID 3628 wrote to memory of 3812 3628 cmd.exe 120 PID 3628 wrote to memory of 4144 3628 cmd.exe 121 PID 3628 wrote to memory of 4144 3628 cmd.exe 121 PID 3628 wrote to memory of 4144 3628 cmd.exe 121 PID 3628 wrote to memory of 2772 3628 cmd.exe 122 PID 3628 wrote to memory of 2772 3628 cmd.exe 122 PID 3628 wrote to memory of 2772 3628 cmd.exe 122 PID 644 wrote to memory of 3964 644 AnyDesk.PIF 123 PID 644 wrote to memory of 3964 644 AnyDesk.PIF 123 PID 644 wrote to memory of 3964 644 AnyDesk.PIF 123 PID 644 wrote to memory of 3228 644 AnyDesk.PIF 124 PID 644 wrote to memory of 3228 644 AnyDesk.PIF 124 PID 644 wrote to memory of 3228 644 AnyDesk.PIF 124 PID 644 wrote to memory of 3228 644 AnyDesk.PIF 124 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"2⤵PID:1084
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵PID:2640
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 92⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 93⤵
- Executes dropped EXE
PID:636
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 123⤵
- Executes dropped EXE
PID:3068
-
-
-
C:\Users\Public\Libraries\AnyDesk.PIFC:\Users\Public\Libraries\AnyDesk.PIF2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\aymtmquJ.cmd" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\esentutl.exeC:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o4⤵PID:1632
-
-
C:\Windows\SysWOW64\esentutl.exeC:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o4⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3648
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1852
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2268
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 104⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Users\Public\xpha.pifC:\\Users\\Public\\xpha.pif 127.0.0.1 -n 105⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1884
-
-
-
C:\Windows \SysWOW64\per.exe"C:\\Windows \\SysWOW64\\per.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SYSTEM32\esentutl.exeesentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o5⤵PID:4944
-
-
C:\Users\Public\pha.pifC:\\Users\\Public\\pha.pif -WindowStyle hidden -Command Add-MpPreference -ExclusionPath 'C:\Users'5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3876
-
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3812
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW644⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4144
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2772
-
-
-
C:\Windows\SysWOW64\esentutl.exeC:\\Windows\\System32\\esentutl.exe /y C:\Users\Public\Libraries\AnyDesk.PIF /d C:\\Users\\Public\\Libraries\\Juqmtmya.PIF /o3⤵PID:3964
-
-
C:\Users\Public\Libraries\aymtmquJ.pifC:\Users\Public\Libraries\aymtmquJ.pif3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\Native_neworigin.exe"C:\Users\Admin\AppData\Local\Temp\Native_neworigin.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:636
-
-
C:\Users\Admin\AppData\Local\Temp\Trading_AIBot.exe"C:\Users\Admin\AppData\Local\Temp\Trading_AIBot.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2240 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6996
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe" /st 09:01 /du 23:59 /sc daily /ri 1 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:7024
-
-
C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe"C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:6008
-
-
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:5104
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S2⤵
- Executes dropped EXE
PID:3812
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:680
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3592
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:976
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2076
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:6420
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:6876
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1832
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6640
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5160
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:5992
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1824
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3724
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4032
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2212
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:6268
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:6584
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:6604
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:6560
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6760
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:6832
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5648
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5272
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5148 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵PID:4580
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵PID:4620
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5f4d3c3c5e2db6718a254b2ef644344d2
SHA1c69902a657bae7fba2e72368271645d0ca152b7a
SHA256f290334c1ff641fefad2747e24a8b4254826c67bde0bc3a525d6da32834c6299
SHA512444ae2715bf5a289c5fd8d3b275036ce418b58ab5c90094181d48181c21f7be4d20bf8af613a49ef3bd0b0006119a6d3ce5b6952ca0ffa5c12ba50e9fb883554
-
Filesize
1.3MB
MD59218249d6bde94bf2577d91ceb6b01c3
SHA12ce59936dc2aac47674d57cd31ad426438307f40
SHA256cf4838ad000b4cd409a3ad1b4c3046f0ae4b55d6d69c7dfe30900243c5f50edd
SHA512afa1b7c32da0a72947b265952285f1b3f536b74153d08fa917deba6133ca37569ec8a04b6b176174cebe1ea3932a759bc6f9fd586cd77e062c324742f867a462
-
Filesize
1.6MB
MD535774e2205ada7ea59e7c2a51d0f63cf
SHA1812acbab6e18065a0c35156515ff5afa8bdc592c
SHA256117638559640b12e81d77d0b1be1b7babcadbf472562ca4e101d6852ae3563bc
SHA512a9d9f0f674dbc625e1904a64bfb17dbad19d29592194f60eee817d248539ce76b65c629afe2b1ba71b98e3f367a17a987e46220ccc8b5f4a31ea0473c235866d
-
Filesize
1.5MB
MD5fff2aab6002fd799ae44166ec9e8b1c9
SHA102ad05f314b1a822701c2573711ffce5a23c7990
SHA2562b10709909672d4cda82b4708ab3262a59358f9a606dbeeed05ff77653d775c7
SHA512085ca049a108b38e4c717a56924780f7cfd512808fcb99dfcf42357887144190628c4ae36e7f2e0efe8a633008cc0bd59ee7a80887cdb5468a862792f3ca2c91
-
Filesize
1.2MB
MD531c3550785ad6a2bad7c14fd2a14a415
SHA1b3fb52b0ea4f32218b74844ac5533b4b3c68828b
SHA25661eb28edcc2e1d205e472b9235ef6815fa270e159c06b8e87749d585026e7f91
SHA512f2aad612159c074b95a8fb5f89cd64ecaad8403b7458b4082820b36c05485130aad609f07fbd82c73a4d466295ccfb4afec283c29ff9fdd579bdec313f760f6d
-
Filesize
1.3MB
MD5eee59287a53f60aacd75b77873fc1e70
SHA1d1e802c7585b2e680863ac551d449153a5497379
SHA256172bdaabf5cdc265b03bd736ee29b0cd57d47cb5d17c42e1a4f02e4d6ed6a0e9
SHA512b27b2148451b3badcda952eb9995ffa7425099a7fc8a2b51626b36981389c3e0b531ffff0d30ea6bb11dd76578eb6d3c156371700632f873d8d6b63035cfd244
-
Filesize
2.1MB
MD551d4de8a9802d0d40f04a0de92ecca0c
SHA171954ee68c73e7e63e88f2b491ba61536ae10c9d
SHA2565dce780e0a1e79ec45ec83c4e97481f558ea37604a8b3ff7c70e573c23644192
SHA5126caa5de796dcc3cb1a576278ecc9563ca312bd99fe79fc506ae0f25503b95078dd3c672809f9673d9b72fb02f59fe104da886c6fa94e73a72f2a8ec4d82fe4ea
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
1.4MB
MD59ece2aae8e8fa77849268dda20caec7b
SHA151a2dcbba6bcbb069a3a5ab77659d46e98b02289
SHA256a7ba9eac2a255cab335d7b0d00da00c962e2becc8aebf313434e861c502d5dd9
SHA512e3cb79fb953d247c98b06e64efe737d53eb57233b43b4fd2a637ebd0f5c9ff088adcaf4cffc095aa6a6ce7b87f4b9812d1d8b76a0d27bbbbb4955fa57260adb7
-
Filesize
69KB
MD5e91a1db64f5262a633465a0aaff7a0b0
SHA1396e954077d21e94b7c20f7afa22a76c0ed522d0
SHA256f19763b48b2d2cc92e61127dd0b29760a1c630f03ad7f5055fd1ed9c7d439428
SHA512227d7dad569d77ef84326e905b7726c722ceff331246de4f5cf84428b9721f8b2732a31401df6a8cef7513bcd693417d74cdd65d54e43c710d44d1726f14b0c5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
12KB
MD5c4d55d1cac6e1a85b0de9cb2f0c4de6f
SHA12b45d1b2970214fccec6f739735395bef76cd885
SHA25662a422d61dfe81ff862d98dc944109227643d17d0baaaf2715d2381a6b3581df
SHA512a8fc1e3a82067e659e24bc1311223cd871cb7d50eb8b160230358f658526c7667465d5504d87f307f8bd1464b2995ea3ec5f81cfdb671d62f63083ed76cb90d0
-
Filesize
2.3MB
MD504ad7e38aa2f399b5862e6267697632a
SHA1a30e9c94bb215f0b96a651432f8f74f4a06284de
SHA256da4101eba193661f3016d2b4b6328cf8d0cb16ac58c1470683bc07d8baf34ebe
SHA512b7cacc98c0d5c7b3f03cde8b294cb6534be25c560e78c6cf5304285774b56493e98346152a587162d1347eddc7f751bd164a78dd257383b0b59b37d89d6ba5a8
-
Filesize
1.2MB
MD52ef70d96354cc04d9168e8f69e7b17a0
SHA192eee1bb5de4f4d50805101b83e4a3a1a602856b
SHA2565842b3e5271efed831bf21f4821431bb1a7dcc94bafab135b62d34bfdb32f503
SHA5123c46f059b5e2c806efdfea71dad8bcc236bfc753dc3b15e637d6697231313b68232d0f4bc6921b41ed76f2471891718678ec7b6c6dda0a5d7c9f7ae8a57580b3
-
Filesize
60KB
MD5b87f096cbc25570329e2bb59fee57580
SHA1d281d1bf37b4fb46f90973afc65eece3908532b2
SHA256d08ccc9b1e3acc205fe754bad8416964e9711815e9ceed5e6af73d8e9035ec9e
SHA51272901adde38f50cf6d74743c0a546c0fea8b1cd4a18449048a0758a7593a176fc33aad1ebfd955775eefc2b30532bcc18e4f2964b3731b668dd87d94405951f7
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
Filesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
Filesize
231KB
MD5d0fce3afa6aa1d58ce9fa336cc2b675b
SHA14048488de6ba4bfef9edf103755519f1f762668f
SHA2564d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22
SHA51280e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2
-
Filesize
1.6MB
MD5bd8d9943a9b1def98eb83e0fa48796c2
SHA170e89852f023ab7cde0173eda1208dbb580f1e4f
SHA2568de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA51295630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
18KB
MD5b3624dd758ccecf93a1226cef252ca12
SHA1fcf4dad8c4ad101504b1bf47cbbddbac36b558a7
SHA2564aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef
SHA512c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838
-
Filesize
115KB
MD5fc9b64a2b1006891bf39ebf395b4eba8
SHA10e98ba291d77ff8a57b5ebe198ff0c2e6c2bea00
SHA2561093d0809ed5223c8ea2d723032c0ee2bfd1d971ad6ac69904983ec545000b3d
SHA5129d5a9716b71b436dd465cdf8ed8471747828420cec7c5dad3406072e53f8de6e31253968e55ef49dc19a8245993b00164f193a3752cc16fce3887c4737db906d
-
Filesize
94KB
MD5869640d0a3f838694ab4dfea9e2f544d
SHA1bdc42b280446ba53624ff23f314aadb861566832
SHA2560db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323
SHA5126e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7
-
Filesize
1.1MB
MD57951d715e6ee8a1994ed87b87031f3ef
SHA12efde8c8d4ed53a324c39593e4e5377fe736e8e3
SHA2568690ada81d6aaad9b4f23ef39e877663163c8a6733762c2c5dc50d4f43fba5f3
SHA512b3643b934501af6c2b05c52abba123cdde5c19861694a5b88de43d44b6e93573021c81908163f94a3da7745f061ec35fb494811cf7f10572e35c3c682963457d
-
Filesize
1.7MB
MD505fe9ac5fd8930b619a244401bf5a5eb
SHA1dcb6e9c8936007cd7839a8215ca837a7d7bdeea5
SHA2566de8b630d7bc15948ee4a94b62db917094b5bd2893b0075c7c10275afd3fd9d9
SHA512cc072db6146ba6a314b79674a46567c09486db177b0dc37713facaa27288db59f8910167c9035ccd28aac0f00b601919cfe269b4a455e8409d56bb696c10b08f
-
Filesize
1.2MB
MD54b46bf0a7ef8b8a94860712bd44ed99f
SHA1438ae84451acd01fd0563efb857c6102eb161dff
SHA256f02a019bcfd2a3b1ae978dbab164cc4bea1d0a3743e0071b2f50fcb723a43e24
SHA512c86bea07998da1ab1a5f2f988b21a1500b64350a7f3257891c0fc902ce907f3547205921c60e93f55ae2365ee13107fcb87035320b4beff95669eed3cda0dcc9
-
Filesize
1.2MB
MD505cb09f4faf70d97c11d2f79241b433c
SHA1d901469f2e427fd91a5fa5e77d5466558374adb3
SHA25613e219260a15bfe2917bdee167e361df52815072bea2c09ba737826fc28d106e
SHA51266b0c4e1feb73fb27fdeb1c283a56bcec5d60afba946062a98ec2217a73c081d1edf73dd94718ff7b1d655e36169d2078d3a95400ae3317ba96ccac6e38548db
-
Filesize
1.1MB
MD5709e97ec81ca9e5cc27ac8e1a394d494
SHA1240623eb01a80441a286f3f32ef29c44624c3f3c
SHA2562e68277edeac32e3af149583998429b00615b61c6fe924926acf3eced8f7019d
SHA51203b9ea85bfbacaf09582b52b0ebd4d10bbfe48c912acc46109aa912af3b4b223250a0c1b7eb61040578e0b20fdc84da1a11949a7a3bd54105e4598b40c1bf043
-
Filesize
1.4MB
MD5500ecc42374ecc2da3ec88986416e251
SHA18ef198abab9eb7aa3fa354be3358251e78249fca
SHA256944c681a5be3203aad6bb5ad3f325f3230c8abb2ea35aa34dbb882a79341860a
SHA51217e7e8cf11128c626088fa31318114d833eddd1b7b53dbbb6602a1be33f4d67d3709c00059d448a1128286369a6f8b6cbce5f7ab831a9f6ad3723a0a116f14f9
-
Filesize
1.2MB
MD590e4fcf0c6a7d07469b1d621590c68eb
SHA1e556a601d8014317dd63033b75aa0b38449e0301
SHA2563e9bb304e54fbc5452472df08a20a330f7aabf827b1cfbf421315aa3ea561402
SHA512f0e276982c8814cd3d247a784410e34918856087a3d66b59459f0629ca7d41af8460073fc84817a312c950015e4a9acef5073f7c8b2742dcc2477c7928095c9f
-
Filesize
1.4MB
MD5424eb4c1c01be8767a9aaa2623ad890d
SHA198d882beaf9b2c54dd63cff9fa301d0a4e8f7e7a
SHA256b8c90230232c599a208fc617115fc252e321ae9f354287408704e5db61b6fda1
SHA51228540f73254534cce3b21f118ba3fef477073914235bf991ff9db5e7b488ee89a70548a17d90080ba56e1e4eefeb4880f796d3eeb67294878b703352589bf1d6
-
Filesize
1.8MB
MD521b381ffae2813b2f3331b693f61b940
SHA12e91917b3fd71f4d8a8168d602d189ed855394b9
SHA2563e3581007b556bbbcc6df728d77acfc8b5482098cfe73da2cab75662330645c9
SHA512d9024dc84033c173cc41318c0f2513612f737c7a8bbb3afd2a15cd36ff6aa6750770bf12902eaf035c31302c8711adcb418c40ff5afa77c5d85e49e9f0553787
-
Filesize
1.4MB
MD5a1e976fc0910412110b536f5dea32a49
SHA1ef8af2b711d9f5327edd07030e847180f3335f25
SHA256895d1a29764a33e304567d37919c9827b587132e7851c45394b7b8495c82efd5
SHA512467a58c30ecc923c8754b478d8b648274102e32b56e3d066745c123eb715fcad9b6bd7a587ae32690f5ca4bdcf3eb891732e72eede2ebcc706e928d4c768df69
-
Filesize
1.4MB
MD57e5f1f12d0ee0bb805534568b7900d4b
SHA1cd21d4f51062cf55d8e7c487f3937c2b1716e2c4
SHA256ca0bd02cc5faa2ecddeeb259deda9fb8ac7d44c4bf5b4025947d4a004d8a7597
SHA51299fe90c6c3b48af77b6bc65803c8ead3a95ad351b951e50ea5d644df5e7537a3f472fda9baaa90dc5ca9504eb41ada28f33e1ffd680618df647143ab39c9a629
-
Filesize
2.0MB
MD5981c6284b96e81ec84baf84d8e428384
SHA1cf3015058b0719b28b7cd3b9102b29379bf8d8ba
SHA256f5c7694dc2669c4a5e99b77e0a60be1c74e133c86186fa2c1ecfb438b90643b6
SHA51238b1d8c1f09422642f40c548aa5736ae77746a1065e7c81b60cc7b537cc21f0fe11680515e7d6cc03d4b36ace817a93ba8212456c5f978a0dea1f4fbe216e0c9
-
Filesize
1.2MB
MD5ae40df3f86947faeb0828fdeffec8ff2
SHA1575facd30423aad4e813060063ed76e647932ba1
SHA256f12a8b0b0d745d3a0945ec999da0eec475ffa9cdf5f90367904c5401009f5d37
SHA512026ccc75b9eabf7ddb222e66162cb42e103055a018f94c27be143b27e830ec461bda4eb9f23cf2addd9c9fdc2031563f8210435fd2f5f67949519b09148ee6ff
-
Filesize
1.2MB
MD596780552b55df74c2e1720f6eec39307
SHA1949ff52cb1c742dc253c93a53957da47a2fc675b
SHA25623014e53db85004a8146afb33db869547694c54de22bbd04ca5859178c74ac2d
SHA51244517e5fc515c5a0767637b3a3c447fd3602d113e42dad1ed5502dc50c19a6cdb902a2217f433fd530122fbba6834d10ec2c3999e876f506ef044713226b9ee3
-
Filesize
1.1MB
MD5ae73a22c3bdc59a06a0ccf23b87d6475
SHA1c56fcd202b2fa2abbe97e82b92f99f4105fc68c0
SHA25667cb4683f3bacc30ecbb099662c4064362a40efcec58ae4df81744672b2bf3c1
SHA51237577db5a3cd52393364f1bff197a97b4cc8c4dba9ef1505e4cb144f18dc6d3cf3006e3f132c79a3998b828d5afe3fe6bee4ff6184ab1af983a9971f2cdf6207
-
Filesize
1.3MB
MD5bfebdbe9e484d03a0021353fe1084663
SHA1a09138587672e20d0c794cd647f2f538196f611f
SHA2566f51b120d17e5e4e487f3eafa33217d5a08a1275ec6539e28ebbf1ae0da1e019
SHA512e3772a2bc40b689570cdb390e98aa1eb7e882f7c15d8fc4f072fe3e8a4ca6518423e7f103b7dcc7e612c94e15e3e91ae7f63b442810bf22190090209816902f7
-
Filesize
1.3MB
MD5c24b076b8c9e95d29115a3a85a78f7da
SHA10dc241da0456d76d9c87c7cef091fe98a06a191d
SHA256f95b0a4cedd18efa8bfdc8b5c3d77414044d2c2e4b902260913b60b1db654051
SHA5124925be18b1439f657b733c9fa92e93e0351b2c972f8848663b599f1e468881cfd48aaace45992100caaa1473fb38caaa60f2c571c13666d4f115e1c84114ae6a
-
Filesize
2.1MB
MD59726711becc2df4067f39a890a8f1828
SHA1b402c40fd463808c4844ee24039bbde151f2edd3
SHA2562266245cc1d726f9990b7e3bff62bab7a40cf778ee8d748d3fc0bcbeefbcee75
SHA5128713283533eae29138e5a4535a8b3898d50c0a990013213416807d165809560596b89697737168edc739f7c52dfe64c4e879ae6cd80fe285d40e5ecfde996827
-
Filesize
1.3MB
MD56e2e6ac3bb9e4e87bd78863b4a6a261b
SHA1687b8b0b9769fc6a42ac9587fbd5c5462168d3cf
SHA25687c9f6765e75034871277e573a88f616eff574940d69fc5751081f8337b9c3f3
SHA512808df4ca0837f3add9fd589e82499539dabab7d38ad87e5bd80f7f5c6e7e6c87b84de2fd5856d605346864767c8dcd041c379f9a277be94ace026248b62ae9a1