Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/01/2025, 14:08
Static task
static1
Behavioral task
behavioral1
Sample
5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992.exe
Resource
win10v2004-20241007-en
General
-
Target
5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992.exe
-
Size
2.7MB
-
MD5
5f573a664988c7ae35ec36f0e619728e
-
SHA1
e9af094474fdb64ae89014abfd7fc67aff7b4324
-
SHA256
5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992
-
SHA512
6ca73ea44d42869bbd99cdd1ba6853c76531868d50e8cf75bcfa27ea67c9de10d77fea177f08c3343b34107784520ccdd8d1a2b05e00fefe85e10f8800a38083
-
SSDEEP
49152:9AodtaG9kS2U84B+FLan9k5TRM9zlgVjgg0YOm+3iZ1o1e4XTur23ANIS://B1pY/ZiDG2a
Malware Config
Extracted
Protocol: smtp- Host:
s82.gocheapweb.com - Port:
587 - Username:
[email protected] - Password:
london@1759
Extracted
agenttesla
Protocol: smtp- Host:
s82.gocheapweb.com - Port:
587 - Username:
[email protected] - Password:
london@1759 - Email To:
[email protected]
Extracted
redline
FOZ
212.162.149.53:2049
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/files/0x000b000000023bb0-57.dat family_redline behavioral2/memory/1976-81-0x00000000007F0000-0x0000000000842000-memory.dmp family_redline -
Redline family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2308 powershell.exe 1592 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation server_BTC.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk server_BTC.exe -
Executes dropped EXE 26 IoCs
pid Process 3172 server_BTC.exe 3248 neworigin.exe 1976 build.exe 3812 alg.exe 1788 elevation_service.exe 4760 elevation_service.exe 3720 maintenanceservice.exe 2120 OSE.EXE 2524 TrojanAIbot.exe 4708 DiagnosticsHub.StandardCollector.Service.exe 4900 fxssvc.exe 1472 msdtc.exe 1952 PerceptionSimulationService.exe 1096 perfhost.exe 2476 locator.exe 4840 SensorDataService.exe 4324 snmptrap.exe 1932 spectrum.exe 436 ssh-agent.exe 1048 TieringEngineService.exe 840 AgentService.exe 4784 vds.exe 1740 vssvc.exe 4424 wbengine.exe 1480 WmiApSrv.exe 3420 SearchIndexer.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 api.ipify.org 11 api.ipify.org -
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\89f62434983eaefb.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe CasPol.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 920 set thread context of 4124 920 5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992.exe 86 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language neworigin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server_BTC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TrojanAIbot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 840 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008387d64c6963db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea4e9d4c6963db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009cafbe4c6963db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006471014d6963db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c27964c6963db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a364724c6963db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2128 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2524 TrojanAIbot.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2308 powershell.exe 2308 powershell.exe 3248 neworigin.exe 3248 neworigin.exe 1592 powershell.exe 1592 powershell.exe 1788 elevation_service.exe 1788 elevation_service.exe 1788 elevation_service.exe 1788 elevation_service.exe 1788 elevation_service.exe 1788 elevation_service.exe 1788 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 920 5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeTakeOwnershipPrivilege 4124 CasPol.exe Token: SeDebugPrivilege 3248 neworigin.exe Token: SeDebugPrivilege 3172 server_BTC.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 2524 TrojanAIbot.exe Token: SeDebugPrivilege 3812 alg.exe Token: SeDebugPrivilege 3812 alg.exe Token: SeDebugPrivilege 3812 alg.exe Token: SeTakeOwnershipPrivilege 1788 elevation_service.exe Token: SeAuditPrivilege 4900 fxssvc.exe Token: SeRestorePrivilege 1048 TieringEngineService.exe Token: SeManageVolumePrivilege 1048 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 840 AgentService.exe Token: SeBackupPrivilege 1740 vssvc.exe Token: SeRestorePrivilege 1740 vssvc.exe Token: SeAuditPrivilege 1740 vssvc.exe Token: SeBackupPrivilege 4424 wbengine.exe Token: SeRestorePrivilege 4424 wbengine.exe Token: SeSecurityPrivilege 4424 wbengine.exe Token: 33 3420 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3420 SearchIndexer.exe Token: SeDebugPrivilege 1788 elevation_service.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3248 neworigin.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 920 wrote to memory of 2308 920 5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992.exe 84 PID 920 wrote to memory of 2308 920 5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992.exe 84 PID 920 wrote to memory of 4124 920 5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992.exe 86 PID 920 wrote to memory of 4124 920 5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992.exe 86 PID 920 wrote to memory of 4124 920 5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992.exe 86 PID 920 wrote to memory of 4124 920 5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992.exe 86 PID 920 wrote to memory of 4124 920 5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992.exe 86 PID 920 wrote to memory of 4124 920 5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992.exe 86 PID 920 wrote to memory of 4124 920 5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992.exe 86 PID 920 wrote to memory of 4124 920 5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992.exe 86 PID 920 wrote to memory of 4124 920 5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992.exe 86 PID 4124 wrote to memory of 3172 4124 CasPol.exe 87 PID 4124 wrote to memory of 3172 4124 CasPol.exe 87 PID 4124 wrote to memory of 3172 4124 CasPol.exe 87 PID 4124 wrote to memory of 3248 4124 CasPol.exe 88 PID 4124 wrote to memory of 3248 4124 CasPol.exe 88 PID 4124 wrote to memory of 3248 4124 CasPol.exe 88 PID 4124 wrote to memory of 1976 4124 CasPol.exe 89 PID 4124 wrote to memory of 1976 4124 CasPol.exe 89 PID 4124 wrote to memory of 1976 4124 CasPol.exe 89 PID 3172 wrote to memory of 1592 3172 server_BTC.exe 96 PID 3172 wrote to memory of 1592 3172 server_BTC.exe 96 PID 3172 wrote to memory of 1592 3172 server_BTC.exe 96 PID 3172 wrote to memory of 2128 3172 server_BTC.exe 97 PID 3172 wrote to memory of 2128 3172 server_BTC.exe 97 PID 3172 wrote to memory of 2128 3172 server_BTC.exe 97 PID 3172 wrote to memory of 2524 3172 server_BTC.exe 100 PID 3172 wrote to memory of 2524 3172 server_BTC.exe 100 PID 3172 wrote to memory of 2524 3172 server_BTC.exe 100 PID 3172 wrote to memory of 1080 3172 server_BTC.exe 101 PID 3172 wrote to memory of 1080 3172 server_BTC.exe 101 PID 3172 wrote to memory of 1080 3172 server_BTC.exe 101 PID 1080 wrote to memory of 840 1080 cmd.exe 103 PID 1080 wrote to memory of 840 1080 cmd.exe 103 PID 1080 wrote to memory of 840 1080 cmd.exe 103 PID 3420 wrote to memory of 3252 3420 SearchIndexer.exe 149 PID 3420 wrote to memory of 3252 3420 SearchIndexer.exe 149 PID 3420 wrote to memory of 220 3420 SearchIndexer.exe 150 PID 3420 wrote to memory of 220 3420 SearchIndexer.exe 150 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992.exe"C:\Users\Admin\AppData\Local\Temp\5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Users\Admin\AppData\Local\Temp\server_BTC.exe"C:\Users\Admin\AppData\Local\Temp\server_BTC.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 14:13 /du 23:59 /sc daily /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2128
-
-
C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe"C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBC4B.tmp.cmd""4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\timeout.exetimeout 65⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:840
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\neworigin.exe"C:\Users\Admin\AppData\Local\Temp\neworigin.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3248
-
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1976
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3812
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4760
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3720
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2120
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4708
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4260
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1472
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1952
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1096
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2476
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4840
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4324
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1932
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3968
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:840
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4784
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1480
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3252
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:220
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD50f0ba0f3f96f6f69fc99d559cfd03e51
SHA1bb838d62ba058e616fcdf292a97a06b8d0cfb346
SHA256c1b3572c30bfc67b990033ca3fa6b725fe8d9e73264c63a6245a3777b7821769
SHA5120a4d3512f2617cec003e89a40d8b662e400606e41f459e97e911a7e378806d9b29e26d1a50c37c1f54dddef22669a4b214ca06ddf3bba13feb8a9699bc4c810d
-
Filesize
1.3MB
MD51e287147e54fce59ad2dc7c89ce86374
SHA11783feaa21012a0261b7d4956bb0d98ef6bcff8f
SHA2567a6eee03cb03c0fbd24bb14e182d2b8a6abc82d17fa9ef0f145d43566b8b3e57
SHA5129192dbbfe19d8fdc616389f439038cc8edb72c6341d8bb26a5e920e909552b92b806a0fd0d4c5dfe39b9d00e13077bafcb9ce9cc023064a86ce8c61af99be4dd
-
Filesize
1.6MB
MD5c4a6eb4fd55fe4a0f48c7cf246185957
SHA153544833d46318acaa3161aa008c829e4a17f25c
SHA256603c673e52a99af06b3523465cfb0e0a67dc605e2c6ee6e72321177ade4b34e6
SHA512c91c6d9842d718f625303cf8c26f47fb7cb0010cbf3db293a37e5d332cb11c26ebda9a58c95c860ce93e791401508f5d73bd0b549e082e05357508191cd33f9a
-
Filesize
1.5MB
MD50dd6ad079a4163ec76198e942c532acb
SHA1626a664917103663d6e482c4f8c6ca2e15dd2c23
SHA256d029c94ee05359e122b5aaedee2f533576ee12aa287090a9a6736c3122d0914f
SHA5126ded3ad6379b9dea5b524fe5578e08b0f85d83b8710d59235be41b8d1ce4e8bf417e22b494829f3593e30226634b19d996a73856b976bed0a79e641fef7c2d2d
-
Filesize
1.2MB
MD5dbb089d43f34566d25c857f36b62897f
SHA1cc624549164331bb0470fc69d903771dc3623c98
SHA256b5836e3cf20560e2f35fda2f916c1bf019a9a6b4082ab0fd35e69e71c7714413
SHA51298738de91373dbaa10dbd713314faa400595e9dda7bced0499980cf97e38a2b899e7012fea8bfcf0460055ea66f507e6d73f9d4d560fe1d4fff38418380b9fca
-
Filesize
1.1MB
MD50993e153a3d487dbc3862c1a9c485257
SHA199435c3a2d174070a0aaed5673406321c3c11110
SHA25641f23adf1b405eda43d4c338ae7228be5831c903925e6ed6e99c5f4e4870d3bd
SHA512c88bf6752244a34734e95e2f4f3d6ffad4f93828cedc3f938058da2d410183c5d89d55cec601ca6978474b706476613e08b568517f5c05ec7188dcdf166b7edc
-
Filesize
1.3MB
MD5ba22bd4cced4408c7289b984f1cb777e
SHA1a0f77ab98dd0f8fb01ccada936dd421cfcc33791
SHA2568958bc14f304f32afd4d3610f8693ff47eae3cfb0e11c19972416f8a158b19ee
SHA512fba31e9d3781dfe4d23f6dfa88445a68c08919a37208d0a4085d9f71ac739d97e2b688dd1b1b801bfc3547f58a938a69fea54202435af63ea281e3f748c0a3b7
-
Filesize
4.6MB
MD5f1e49cca265555f59720147d047bf386
SHA15867da60a81cbf2a43b5e5045c44839048116661
SHA256ce4a952fdd78e3b867372799eadf29751a7b189488a22d399c464c4ab57b118a
SHA512ea651cc6a71e9015e2cdcb99c9c9ce5b6d7cf02cc39f84e34d08f4574d16ee856f4246c5824a1d1e3bf955635d0393cb5aa8bde2ed95efe4d16e07d74147480a
-
Filesize
1.4MB
MD53e0cc4c1c21bf0b0b6e8ffc3ee319f8b
SHA1293e793f2ac41cb45932e77c48aba22aa038a1d2
SHA25676be956f0226ee5534eb0e02e6c73f135c2cd8fe4a7568bc05bad0027a454087
SHA512a0a06205a527c7207c91719f0ea024faefc2a918bd2ea6bb51344d6928bd713718f4fe4b11212a7fae49f6479a7009809890be1ace397d8541759acb6b4a2f52
-
Filesize
24.0MB
MD50e75c239ab79220c0071851e298f53da
SHA1c21b26dbc9f080523dfb087209b4f42fb6d4597b
SHA256bdabfe33ded12729472e37121f90eb875ef80e70387b32e57b12fe469057d7ef
SHA5123971f3327b12b28da3f4b8b56d668e8a91c4dbd4ca9cec91118d055cdc369af96c141f781a48bc0ea3f3ff3df5d1e37fc04419472a0d691f41d349dc2e2376c1
-
Filesize
2.7MB
MD58df6f2c9aeaeab6e9d5aa21d7c1105eb
SHA166e4996b8d4cb4fec6ceb03263b61921bf2507b1
SHA256cd8405f47bbfaad56894fe753cb7fe9193dbc11425c747b3bbe8b7002ec0b60d
SHA512665070a30c997bedd181baeeadcd543bd899b57b032ac9d36deb2aa2fe5a4d8fa077b39d908ec2f3b28940264a0719571e2097467e939819ae3315f248932ef2
-
Filesize
1.1MB
MD56e99258216f8fe33c8dac33b3844e351
SHA13d18b8b45acf45ffd3c4fa926e16ad4860d23d27
SHA256832bd4c69fc8cb2920c342193f7d3b5c322b943e03b064a74ced74588a1ba683
SHA51293b1845228a912c6f85682c87eadc5aa77f673fd2e3063352b5253cf7a06d1a10b9e8a341737bb771fd2b7b363386a71be93c395ae04cfd597b253303d16c435
-
Filesize
1.3MB
MD56b7a33fbbeb7a6bf30a3b879dd9dfa23
SHA19e7bd28d0d384fb851cc2835fe80be3a6114c5b2
SHA256a5dfc6024420e09c7728205ea13f02b528631f6ba44d5eefd9bfcd2fb9d8206e
SHA51272a8e135adec8c85a0275421edac73fe07242ca168e2764dbe1b39ef5109fb39ef096df905639545d6817e4d7162df7348fd48543b372ab7696fe91d320905be
-
Filesize
1.2MB
MD5b7823a97d16f4f2c7987880bc0331289
SHA1c5c3bf72f90fe5aa3c3d47f4d3e47c8afb9bf454
SHA256dc17f1f214500e130eebbbbf003a53b14bb0734a7bba57159dbe29b6b131d22d
SHA512b583b8b3bfa97d76822c411190e30eddadb289f662b270ff10a89e925793a5f7b3d39b93a1331da1f35672fa9af600432e666d9d4f1481e6e9ebfae42b0ee8e2
-
Filesize
4.6MB
MD5f0e1dcec506ebcacd8e42b0957f60981
SHA1f1eb614340477f78484e29b6d37c8ffd6b3d16f9
SHA25668f3f00da7dad47178083f30b11bb98c44efd5464c2385402709a4e16128ae76
SHA5127ac535d7e840fe84ef64d93da1fb85aee267ea51bc434877c6f6c3b4ce0fdaba935163b197b3574042d8c052783eb7325209c4fe155f98c1f287a2ff3445cf5c
-
Filesize
4.6MB
MD544d375498a0158c9e1b0a4b50e85573c
SHA170e6f10183ef474cd8dd2f9efe2a2095237a32c4
SHA25647d08eba8eb89cd4b79e8d1b983eebcd50897de3924811d3d029f137230d14d1
SHA512dc48c8adc35b3c6add10c6257e7d50a8bb2e4e24efe54f59dd271095748f1f431c1409410367de1824216363b0f740926b8b73b4ba8f4b5d4c7c6b6bab0ed93c
-
Filesize
1.9MB
MD5670bb9eeed2a2872771cd10bcf16db70
SHA1fffc8d26ab41bd418afc130beaafc4c1319ccec2
SHA2567273b230cafc9de7b7a389e9b803bf3f79bfc95127bedf30a6f3c04fec073077
SHA5120a11da341a3579f57f75d8ac4200c41c7d5488494d1333aabb655c7f732dea91150484f4b93da5e89312c8ee552e2e782e634fc44e6975746c8eb97b9d1e1575
-
Filesize
2.1MB
MD54bbeae432f49ab9a52c69c5ce0aef7c3
SHA11e31f77da0b6a9e0b624190d174d2fe23de9404e
SHA256e612a95750c21dbe1d97f52728b9aedd002309e69eec81af08e41a4cbac44816
SHA512ac47df6351b49ae3bdec21be07a6ae0679e02f2fcadd39e26050a8006dc6d4dc2a0bcb1d0ff1eaac7d7e4e77e42a48e4fcef4fa52d3a0481fe0fb94248f41256
-
Filesize
1.8MB
MD5adf89f6773a72a3b2a15081fc49c80e4
SHA1470a682b73dc749b89ce94ec0e875c81d50aaaf7
SHA256021a8d99158835ab1191d1cf72f2e18e73c4aa8389b2f713036f911c7360616a
SHA512046812e502c96236637246b82d49ce97236cea9c3076171b94fd1f3da7d42265b47f33f7e88e5254d9c65d908ad9a3a2f912582f91d2846e48c0ef083c02b00f
-
Filesize
1.6MB
MD52aaf354b101c3fab4fba1e96af001872
SHA18b362fbb996633f8bc878dd5d5b3492d0a4f172d
SHA256609ca626455cefb27da94c1d2acc6cbe586c2cb718bd730438d696d1ef2f17d2
SHA512755c7e4d30af36ae71879446208855d8c58e620b8a2e130b57c21339eb7843fd8d87550cdfd880959cd8e87998cb361a50aa718ba3630e82d954c7f96af794c0
-
Filesize
1.1MB
MD59767217ce8414bd510af260c991e6f78
SHA16ea880d4384c4bb11a52efe677c03b9d09e32fa8
SHA25602e6d1c3a5b9c27277379e063102aecc43f1247265e2f457242f96794eed25e4
SHA51234b2d40a874e404384a2b68fce275dd4923166db727695351673425cb0a00283c64182071d7bc39f965e7106b277a69182459e16e0be2653d5b836c1b5f023d7
-
Filesize
1.1MB
MD56f059c18825ab1b1d1f8744d758ee680
SHA1ec68ca8e6993c9d6b2f7beeea3c3e58f0073cdc7
SHA256d6132c4ed7f97612d3ddffd13a2670621bc0f353d32337000d890ebd3d62bdb3
SHA51268d1769ffbc512351fad78613fa222b81770cae41843e5be0f337d63b5b2368a94fb07b287c0e6eaf380fcd5f1c7103eb7a83713a10c6bb227e51b571713ad23
-
Filesize
1.1MB
MD55bb99e4499debafc49726b534d60531e
SHA103ef01069f5b5c9c78924d0525cdf17424ef26d5
SHA256fc61a60907e33518c80d0eb2aea0884d83c36c3e8650fdb3ec3002ac4cc027a2
SHA5128769c9ea6f4287876e8ee54fa82f35c85dd607659a2d780593b56bf7d382c87b55774af71ad28155e420898b7ae12c793b868c770bb924add58015a62924d35f
-
Filesize
1.1MB
MD58a3c1466046a4aa732bac1f78d67419c
SHA1029f766c4764293881fa4bbd8d6a62cbc1079665
SHA256dfa6c080940c51587f0227502d0c094f923f43fadf9c44d8e04ef0f22178e1b2
SHA512d064167666561673f4c063e26dcc7580611fd70a5a4afb43b4834153281830c87eda614c9b0cbad3e5a2161d15c7543493d684c623ebd50e629e501f9eedb654
-
Filesize
1.1MB
MD52eadc54e8424501b5813f0ee8c1a3c69
SHA14ed7fb08f490ef467405f316d73ea8742391fa53
SHA256f37e3ced1590631f48106f940ac357ea4c6867373fc7bd28953c2e2bcee6332d
SHA512392596fdabfe509747c0e0a0426104745aadc8979a96e660ec46e5aef15705abf5700e63d5e295e413234f2059f0a80cd94cc4b1f124dc3471353e58a9f6d55e
-
Filesize
1.1MB
MD59ff824e9e8a96f9a34dc863d317e5948
SHA1ea8dcb25b2ef4e154dd5344c92fb0c56ea4d6355
SHA25624c10ae3c8f10ff309017d6bec7a1133da66c5e6c3bb9b44e7d42d1340ee8b7c
SHA512b25727db03349e6682a7dbe598c012430998155be2994cf21032995823fedfa3af9e832942f705dda303e029e701e9e22b6327debd56160bf4a0a2640fab682c
-
Filesize
1.1MB
MD5dac4b5e27b17420b0389a0be7a7b5444
SHA137b76ca337a819c8a9a8d6c6d08d82a679dd58f0
SHA256b2b8c6d89365056873ec51fb4179a67c365a81e82a12d06e8f6dd7e957d9b518
SHA512b00b405b39124499caa60c42ce2de6382fe8e30664e97c87884ae2f565ef0cd22083214834769aa1c6e4a659b2f736b7bb957a2cc421288b2e0d337ba2ff914f
-
Filesize
1.3MB
MD50dd05ca214150a962ce0e8514af96ba1
SHA15881e5aca9386ed69fcd818b02a449e1dff488a3
SHA256e0d1ca1d11f5b5000eb0f84f981a1c1c1778c6c0910304c80d1cffd9736d2f14
SHA5120a7a06823f81512450756a24959348c2bd8d303ddece2ed1d6819e9c304720aa1d3be2fe6458a8de511e0a5fe88086c074485ecdaba29b08f9cd7b3c23d90261
-
Filesize
1.1MB
MD5047a4cd70d91a1acdba5ea9c48ef29f2
SHA1839a02cc7c79bbfef71387f99321267ab016e0f3
SHA25647a44b0f8140a2af1b687248802314f9104d5ef5edb2688e9591fed31ab136d1
SHA512162ccfbd5db484a455decd5e311e3dff8390881a474e79b4e856af41ca87d35213dd61460b351b6ac4872e3e592f6286921423e6c3ec51c1361242d1934dee5b
-
Filesize
1.1MB
MD50b34383349d9ed67cd276cff4c5a04d0
SHA12297f36adb4b20e9209ca570ab54cfcaa6955a9e
SHA256e6d238909b9f6384dab4813f6eb137b0da0766da6cfb77b44cb8d0a69cb0ca4e
SHA51294e8d4104bd23f5c5048dd227916e7b632b082441f5996e20933e30ff8540281c3345012b711edb0f09cf84281c7e8e51ae53f60c474e63758ab1783daf2063b
-
Filesize
1.2MB
MD5c86b76b7f6c1e8957d4ab314198c4598
SHA140f27a75d790b77cb9885574758d2be7160842c2
SHA256737200c58aa8908e79e4d40deff868aea0182ac63d32896b8b83957b1bca77c6
SHA51224afe83e6f3f3c906fc342f24a9ec8291ce3ca5bdee92371e4b34117ac2d3d8f7df63f3ea24bd9a3f780d7688a8a30016b23a3f809e8735f0f15aa7253a2b9d7
-
Filesize
1.1MB
MD51b5ebfccd139d05642156eb92edc1c50
SHA15ffabed69892e9f71575a48150b54c0e3a56dfee
SHA25693325c0b19d6983a79f760c6bac6cf83ea3d73007a3cd7201edf6a3c691a58a2
SHA51217db104756cec7032187489ec6fdb8469b606d736a06778b35d90526f4ab99b4c18eee72b8dfdbe18250d298b768da7fca65c0c2529a3a8c9c955b4f0dc07840
-
Filesize
1.2MB
MD57842e39116ee7e35071bf0b5ede7b149
SHA16dc12c1f0ef18843411df1ead065acc003e08764
SHA256fa26df3edd368bf4f1eeeed252baf914b50c0fe2d07bdd8c279aeb4d8667bd18
SHA5127b7f69127c262a6896880ac0992e2ede4608f35cd2399846df9e0404b0d3f1bc83415e01a1a47a03e13d706b43aca7a8f8bffa32e79074525f2c68bbf943c9b8
-
Filesize
3.2MB
MD5eea5b99fbb2064be16a46ef24d5eb2df
SHA1025ee6667e208e4be7c738241290d02408424901
SHA2565b96a2dafe8284d421131fc2dcc4620eb7eecd3b55935ca88f44fa7f25ae80e5
SHA51230826418f1bc9b811908e03e4f468202131ea740dfa87ed4766708468ba030120abb0367094129cefa9edf8f9c72929f2b4c826f1a8fc403f21d6dff1de89907
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
300KB
MD53b6501feef6196f24163313a9f27dbfd
SHA120d60478d3c161c3cacb870aac06be1b43719228
SHA2560576191c50a1b6afbcaa5cb0512df5b6a8b9bef9739e5308f8e2e965bf9b0fc5
SHA512338e2c450a0b1c5dfea3cd3662051ce231a53388bc2a6097347f14d3a59257ce3734d934db1992676882b5f4f6a102c7e15b142434575b8970658b4833d23676
-
Filesize
244KB
MD5d6a4cf0966d24c1ea836ba9a899751e5
SHA1392d68c000137b8039155df6bb331d643909e7e7
SHA256dc441006cb45c2cfac6c521f6cd4c16860615d21081563bd9e368de6f7e8ab6b
SHA5129fa7aa65b4a0414596d8fd3e7d75a09740a5a6c3db8262f00cb66cd4c8b43d17658c42179422ae0127913deb854db7ed02621d0eeb8ddff1fac221a8e0d1ca35
-
Filesize
226KB
MD550d015016f20da0905fd5b37d7834823
SHA16c39c84acf3616a12ae179715a3369c4e3543541
SHA25636fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5
SHA51255f639006a137732b2fa0527cd1be24b58f5df387ce6aa6b8dd47d1419566f87c95fc1a6b99383e8bd0bcba06cc39ad7b32556496e46d7220c6a7b6d8390f7fc
-
Filesize
162B
MD580d5f89d1f889640f427806e922aff13
SHA11592b808066fc29b6237548cfec7dc6e84d025bf
SHA25651fac8a545e9b8dbb223883362d246df27ae5cdc21ee720a717041295f65f2fb
SHA5127264a45f77e05b4ed2c51e7c3790ecec11e06079cb97fcfcecb0877ca741800e5bb97c1acf29933e2dc2f83c182c3f405b524147265ba35c45b733adfe932c9b
-
Filesize
1.1MB
MD5e4f5cb725baf985aa15de0a5c3a9a59e
SHA193aad90fa44d967275734ff61dd32d8441adb071
SHA256d76f1e476ec2fce6c1f1a539d75c5e36dbc11484ca540f0d7a4bcaaeed632839
SHA51201c409d5ae9f9bd58ade07b1452c839294cc06b76254f88671fb706891eaa312bd4307a956d870ef5c7b38756514962c1dddf5932bacac89859d0f09f32ba379
-
Filesize
1.7MB
MD5eb0d719586997e4775594af282df740e
SHA1ef22d751a3c52f6fb2dceab840c638e1af6cba05
SHA25641d7df0eefb3da2af89b7d17d4d47b9dabfee5288bd40407ea8ecf506b53abbd
SHA512e791f68e034420518ce99580abbd72cc00adb99ab2626bb4e0939fd652c8c2ebba00987e33f6acac5fb0c93a19eb94d1939a6720265732e8a15f68461286ffdc
-
Filesize
1.2MB
MD5b0c1871fa1beca964e87ed76b43a049f
SHA16ff9b15441ce7584c436357aa61ec474eb4331b0
SHA25660938b4c39d9f2b5870b0eab38d44c4648f6f6d0e268a09a90320b64212f2747
SHA512fc3710703bfcb39aae3f510969ad745352258d59686dffd953d4b30301dbdccd414ecd42f8f38711482d4992d111c38ec87bbe5ed3167ab0472c5b14f1ff39ab
-
Filesize
1.2MB
MD5d3b259aca6141f15c54874c72724869b
SHA1667d04cd46d753e1a3957f5a44e04625d83107a8
SHA25658fb1c881895b4f62462757ce7de9945be30e5700e5b7c9f24c7635f497e869a
SHA5123d9e8c281061bee7ca0dba5ce222505a7461884e4b58105936ec40a04ff7891749e1e036a78c075ba4f8ac8ead3c35bb9f6d3ef702a55e7ca0d1cbda7e71a00c
-
Filesize
1.1MB
MD514c2bf7ff0c716ebbc345b1d1ec53dc5
SHA153aac945b7126a137ed7d6b7a3dfdf578f684b23
SHA2564b730e5a8b4d5ced1b1336d7fa24f319531413b78dd2ec8219f267bf13ac3fc7
SHA512458d965416c8f3b5a548dc7df8a6978174494b11bb0db8b53586cf046c3867533d0d56b38f66ff21c8081fd0eddfb63d7306e70bbafd274450ab86d0b32997d8
-
Filesize
1.4MB
MD58819cbf2e3620b698abca7774d4b0800
SHA14c9c3327183a45293ef3148801ea0b6c178bae92
SHA256ed7e919d4e81b35c30ee02dd371dfd571cefb38714117e90c878ab23407d2afe
SHA512582512fd0541fbeefbd041a568dd104e9f70b67fea7a148687318951684965193764a1d98d4d73fd92453e42d618b470e136c3900e2072a84f62edfc4f80030c
-
Filesize
1.2MB
MD5dceb4330312184aaeca0c03f6a41fa68
SHA1de2bb70ae24ef2dbd20e29e124454d878dd2f9e0
SHA2567797d4a6ceb3da3492c95ae06ec0ff01c3b2d61b98110c33466f6081ebe458e7
SHA512a0edfb355574e5e75e83ad10a3bae0ae06a1e8c7348db7db4a125e7340886f8ed123cf748fef137ced76c5a952762250130a2cd376628ab120f6be0b39711d7e
-
Filesize
1.4MB
MD551fd233257b1efe8e985a457f7a90e94
SHA1fdce8bfe81f5b490f36243e38e3784d938f8ca3a
SHA256cd9a2067c42272678cf43c036d5806a6feaf3226fce9d3e37de3ebbda18c4161
SHA512e3ad8a7b0263ecd88fc51835a9f8714d9e740ecf7f466634cc008a1750042df14799890f34ae1373108fa5d699400ce7a5ff4212d7329aee791fc8617b8a8846
-
Filesize
1.8MB
MD51e8f89006298cde5a14ba50913077360
SHA1d769ef7148478dde2592ecd61d38a9c5570a21f2
SHA256edf775d0fec34dc5dbb23d11d0de1ed5ea23de2aeaef4486863f068ff7aebe7e
SHA512f3948b77e14cf9a7d0b04a439e291bedbd6d95ccb0ca4317cb545a70800b5e83ecdc72a39b4af9ddebd4e3957ef1b2b4c02bdcf283f8111a6cb3bd054531ac18
-
Filesize
1.4MB
MD5db1f28464b419471b9f612cd4cb24d91
SHA18dea6c20ed8809a527a17fa9296081fb1bd03ae8
SHA256fad81af336a3196bf5c8ecf2e3f02ad272f7d423857d2573b28a8a0fa9b5c5e2
SHA512b5287a67fbd9b484ef47bb37397f21727a66fea62952bb5b90090d1ec5a57d1f5c967988ff5f9d08ab50ba450150ed791aece73ee86e3b0317a231be74ed5ad5
-
Filesize
1.4MB
MD590a559f606cdd22bd626fb5081d29bb0
SHA1ca0aeb884d051ab982a27d9d4c1cbe610e59dba5
SHA256041bdc2308c68d343cb9f5b2133d381cca7713d1f2ba09809499d294ae6f4d69
SHA51238e9cbc184a43c5d73d847f3a72171153b5f53046eedb20e733fb6ef787cf448a0a7cded487c739e4eb6b7c921edcb1bcb27dc4d2c9fff651545e9793dc49d4b
-
Filesize
2.0MB
MD52b4ad97aa452e9514f9690b1394bdfe1
SHA11500a3f9338979db5f0d01737b80f02f224fff88
SHA2560ef701dbb9c1c4a3ee561d428fddd28ffa7ec035645bf059402e647a6c2c716a
SHA512c445911f219beb6428de9b063c325d8489e5a91e140975e93d17d916c7dad350cb3720495234db7db3e8733d2322c6b1109c07de848c157d85e08469081f075e
-
Filesize
1.2MB
MD59974a793f690c99dc7adb725c20ac36a
SHA1b00856dbf0ddc05abbd2a5f4e482d2425806d6cc
SHA2565d5cbc147628d94813c6861092efc310664a657ff491c7e2dcd60a9eea3ec536
SHA5128f31067d9863444c95c0a1d5e942f27ce67eeb785ddc54870b771de3275dce8f6dee41c5ffdff747ad9004b6c23aa60044f4a179ff0e8b88df2da443e1c52628
-
Filesize
1.2MB
MD59054681d36a843bbd938ec84f9db2271
SHA1c56c9be7097a47a818240c6f9b209a4bc2b97b87
SHA256dede6cbe15ed61f29aa664a98ba661013759673751dfaf2bb734199e772128a9
SHA5129fd9661a84cbc01573d604e96bc9171aaeee78d6a4d2c66f4a2139e306bee9d94ba009e63cfc3d4303ad87b0a08d3cdfac7a434c5bf0ad70bbe0ceabedc43229
-
Filesize
1.1MB
MD5b54f28d8279f660321b82e55d4457b38
SHA1921ff6f3e73f6de0dcc7b078ed7588c7d6f76485
SHA256b23a36b415124b17ab81e838ea9d48b2214dd912bc22ec6c27fa1da10d18cb1e
SHA512f287210aa47b44e0a2dbeb1f9debb7ca87935e53e6e8db3f99a3d3d4bd27b1a9a2a607e170c667143f2c7f1402e77ac70cf0bf43100dc1221a5249b433fb5a63
-
Filesize
1.3MB
MD58f4e0fcf3b281ea160ff7f48ef4ec576
SHA141cfcab8db71b5bd36b284d79bf31edfd5239e46
SHA256954a6be3eb9ad49fe9daa88722cca02fb88c2dd4aa08f0cc88ca012febfe9587
SHA512ec8a351ceb9815baf109a617f84c0cb565ce08aa348b43c56cfd082f7e0c954ce79a5d14ddfef7b542dd6c06116c257656dafdb385d093c056ab24002ea087bb
-
Filesize
1.3MB
MD5cd1473c6d40e3d45285f89cf9ce5ecec
SHA1abdbc91de87d18660d71a208db401abc4652674e
SHA256e29022153584a28a402ee8422eed73b283905cd0f4f1a8609c296d68fa16145b
SHA5125e1007769d646666a0533b7cd8dac711a9524769c0e45cf7ed9cfda3afb07e3b5ee709443d159c24e8a501716f2d99b2d8c65be6cdcae6321eb3ba8df7a8439e
-
Filesize
2.1MB
MD57c99660cd6d77c3278f4f5f0c8b150bf
SHA1f41752386d83442039a90c061aa291c501680328
SHA2564d900caf23ae438b6773a66afad7d00f3f204087b591ed1b22f20ed3b2485a38
SHA512d27cc080ec08062a72687a559a3986a143e781150d18976650ebe9daee87c0c5ec7a53a72955fc72913a292e4d858d2a40820db242a53e7118323fe3430f0215