Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
04/05/2023, 18:41
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.TrojanX-gen.29310.exe
Resource
win7-20230220-en
General
-
Target
SecuriteInfo.com.Win32.TrojanX-gen.29310.exe
-
Size
1.6MB
-
MD5
3d1072986b88dc6184e40ba0df6acfc2
-
SHA1
3dced4443af3c9591c948c827ac5b02bd0d31029
-
SHA256
8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5
-
SHA512
6b072f7e1b617a1426faeffdc14b80259f2601f29f5df65953694917cfa9611379976424ec37ffe3d139f5abd1bff02146d968f6a47d96d57ab4de1bb32a626b
-
SSDEEP
24576:rPKokfY5HGAg4y2oLeeHlQFwSohxt3jIwYg94ZIgUZ8K5BEuww4sXpA5jp9DTS2I:LZWY5mz4yJSfu/9IwYgeJuw7sX0jpd
Malware Config
Extracted
darkcloud
https://api.telegram.org/bot5955632087:AAGbHX-YygFpBeOiEaTfH9CY-2MMNrZcY48/sendMessage?chat_id=865011046
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4124 alg.exe 2064 DiagnosticsHub.StandardCollector.Service.exe 2116 fxssvc.exe 2076 elevation_service.exe 2652 elevation_service.exe 1872 maintenanceservice.exe 3224 msdtc.exe 3372 OSE.EXE 2068 PerceptionSimulationService.exe 2240 perfhost.exe 1804 locator.exe 4788 SensorDataService.exe 1116 snmptrap.exe 4212 spectrum.exe 4620 ssh-agent.exe 3180 TieringEngineService.exe 2788 AgentService.exe 1468 vds.exe 1884 vssvc.exe 4380 wbengine.exe 2080 WmiApSrv.exe 1700 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\fxssvc.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\System32\SensorDataService.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\System32\snmptrap.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\TieringEngineService.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\AgentService.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\wbengine.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\d9360d6ac4600f4c.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\System32\msdtc.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\dllhost.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\AppVClient.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\msiexec.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\spectrum.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\vssvc.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\System32\alg.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\locator.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\System32\vds.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\SearchIndexer.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\SysWow64\perfhost.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2348 set thread context of 1512 2348 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 94 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000809b2314c97ed901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb75c215c97ed901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dfc75415c97ed901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d726b415c97ed901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a221e412c97ed901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003858e214c97ed901 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd7d0815c97ed901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2348 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2348 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 676 Process not Found 676 Process not Found -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 2348 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe Token: SeTakeOwnershipPrivilege 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe Token: SeAuditPrivilege 2116 fxssvc.exe Token: SeRestorePrivilege 3180 TieringEngineService.exe Token: SeManageVolumePrivilege 3180 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2788 AgentService.exe Token: SeBackupPrivilege 1884 vssvc.exe Token: SeRestorePrivilege 1884 vssvc.exe Token: SeAuditPrivilege 1884 vssvc.exe Token: SeBackupPrivilege 4380 wbengine.exe Token: SeRestorePrivilege 4380 wbengine.exe Token: SeSecurityPrivilege 4380 wbengine.exe Token: 33 1700 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1700 SearchIndexer.exe Token: SeDebugPrivilege 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe Token: SeDebugPrivilege 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe Token: SeDebugPrivilege 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe Token: SeDebugPrivilege 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe Token: SeDebugPrivilege 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1512 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2348 wrote to memory of 3836 2348 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 93 PID 2348 wrote to memory of 3836 2348 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 93 PID 2348 wrote to memory of 3836 2348 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 93 PID 2348 wrote to memory of 1512 2348 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 94 PID 2348 wrote to memory of 1512 2348 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 94 PID 2348 wrote to memory of 1512 2348 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 94 PID 2348 wrote to memory of 1512 2348 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 94 PID 2348 wrote to memory of 1512 2348 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 94 PID 2348 wrote to memory of 1512 2348 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 94 PID 2348 wrote to memory of 1512 2348 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 94 PID 2348 wrote to memory of 1512 2348 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 94 PID 1700 wrote to memory of 884 1700 SearchIndexer.exe 121 PID 1700 wrote to memory of 884 1700 SearchIndexer.exe 121 PID 1700 wrote to memory of 1384 1700 SearchIndexer.exe 122 PID 1700 wrote to memory of 1384 1700 SearchIndexer.exe 122 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.exe"2⤵PID:3836
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.exe"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1512
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4124
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2064
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2736
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2076
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2652
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1872
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3224
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3372
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2068
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2240
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1804
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4788
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1116
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4212
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4620
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3640
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1468
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4380
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2080
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:884
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:1384
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5dc5df84f2f341eb756d52d416c25672a
SHA19b68322b63fbef5c3607b085e3f6c4042bbecb26
SHA256d6851c67c09a02a54950f830ba3675987038db63f9b0325ae9618c6e77404f67
SHA51270ea351aff6fdaac102865c68d837b2bcb0c849bc48cbc9125aa1d702b158f7835723a028ea5d9e53627711d416ade14d73033b35ff46ab225c618b8849515f2
-
Filesize
1.4MB
MD546ba2c464cf5e7a9c60bb2ff5a5354e6
SHA18eccf7799a6200fc6af615cc3db1cf7a578cc054
SHA25660c41130b4eae500234d0f1d828a0dce08ade62262ce53a8a69a9bda0cb22493
SHA512859ab843246002203c4438988c28f8c8162692dbaf46b090ee1ea12b73f1e96f41bb9095446e3c859e0d11dbafca4f12f64e217ed29b5caf2c3b4bff7fa22b1a
-
Filesize
1.5MB
MD5dcd7a67e87e6114edb1085865f8d775e
SHA1b2a7ab3b3f236a138a3a758030c88d3af29f79d7
SHA256ded42d6e4d800c011b58177d521749c872cc9ed61c953cb8c54204d126afbd82
SHA5129b80cbb087e4cec9a139de25396d8939c6c08038a933630dac220a0a8c2052a79ea3906725774d7770ab172156ea752516bee655ae4ef8847e565fd54232ca8c
-
Filesize
2.1MB
MD5acdde84eb61d05ad9eb142c3cd045839
SHA193424013eaacb4b915dc18f1fc39d9ce1dda6fd7
SHA2564bbc019b0a65e7703ae85360148bdd39d5347c79fbc1516d0c3696c61cc174ea
SHA512ee2b8a4f38f599c439158157601e88727d89401ef58d2fe9a31547f5e43b607f89dcebf6a7e45a51be2bc14db6e95f35b819f361362704323dc2fdf0cdc92171
-
Filesize
1.2MB
MD5813db0b56035ec0a4cf3887d71d2c4aa
SHA1f03217e425ebaee33cf9be638b8c83755733bd47
SHA25622669a2a26859389a1339b872c3a64c45f05e0e621b7691de49c583a0f3cb3f8
SHA51293d97485946fd5c6e50c46ba75573f65b89825eb7e218050fd2d6b71fcf483deda2465c13a5c9e861a8af4fc01ba0a0495ea3572768bff1473c960012f5771ca
-
Filesize
1.7MB
MD5f04bed6f8a5f80ae129fcb931b0d02b1
SHA18b3e57fac5981828bd626a81ed372c16d553bbc9
SHA25636ca5f14dfe5022ade2470c0b0eb64da9e9a0e3b814f4da498f2d60a0dff41ca
SHA512cefe6eb98308ae6a9961ee4061c104f73577d0668d42e80e3f58e348ae49b96a1f42398f07ac54618a66e0f2e13eb9d09cb4f52058010258af929265865ffd4c
-
Filesize
1.3MB
MD5c91b32313dd84831e1db3e202c19d981
SHA17054bc8bad75c962799e6a3a1be3484753f9daca
SHA2562749778929d83eb80d6f03b26949f7c5c25628ac66c64c2f7f38c7bd556aa310
SHA5124b499ca1557f5f09ee96e743a90158c7742457f260522461e15f56b47c0e7a8fedc729f2d95c4ddccae3971fbc0493f1fb3e65b2de170ef5ff7e5ffc3624a396
-
Filesize
1.2MB
MD5a9cdea84dc5a3324d8e4ced1ca4c188d
SHA121d368d833d92acb896d82a041088514e5f617b4
SHA2567754a1f068cc9ffffd930958581b46eacf5445126bad043cd7f564aa54f266cb
SHA51293c7931a39cb5d773be7167b58f3d93eff58bddd920f8a840f5547810ec4898bc45d74e5be7d7da2d18e06e92a1728cad7870ed036bcde29e803a84181d50162
-
Filesize
1.2MB
MD55a3e3ef62dec5c4fe3ae8bffa321fb75
SHA1aeb3d5fc948c444ebf7aeadfdc2d3ad356cb877c
SHA256b5a644fbcaa08d29784db4eaf710fe8622d6f976327ae9fe24ea6c90f1ad468e
SHA512e155d1cb8313acc0e56cfecc62c71380688dc75d9f80df949c02b7e97e8139f2c5322cc9040a0dceaecfa87b0b421aa91589dc2d83421335cdbbcb4a977b8231
-
Filesize
1.6MB
MD55c868867266cc26eb10fb6a7ce2e7dba
SHA1339b005d80b5281b57008ec283b0b084aebf65cc
SHA25675b90f127d00b5e51fbc5c862adc1c97b215d8995fd4b6717913bca2d99b7d73
SHA5125a2648854c5fdf6b64d25e0638fc4202f7f78fa9eec11abf3e1ddc2d7ecba806e7f69d8c4176c08bd440578fc39a8930f6a0b74e720b7d2b8834c4f410fd6b75
-
Filesize
1.6MB
MD55c868867266cc26eb10fb6a7ce2e7dba
SHA1339b005d80b5281b57008ec283b0b084aebf65cc
SHA25675b90f127d00b5e51fbc5c862adc1c97b215d8995fd4b6717913bca2d99b7d73
SHA5125a2648854c5fdf6b64d25e0638fc4202f7f78fa9eec11abf3e1ddc2d7ecba806e7f69d8c4176c08bd440578fc39a8930f6a0b74e720b7d2b8834c4f410fd6b75
-
Filesize
1.3MB
MD56901c175e4321d9f7b8f3bb1f2d3aa09
SHA1f8b43ac67148c876d10755b51a4f8c942fabe843
SHA25642db4986f57d66941b2fcaed7615ce114555b83f95607334210eb49514001915
SHA51220a5ed020d8c9749a42c8a0604094bf9fbd3625f162d53ec6efb9368e1b24a5ca172176f4cfb434b55ec40ea0988e8453e7d0ddde86e5f606ab79375ed0ea85c
-
Filesize
1.4MB
MD549f397e2edb5f439bd27e54fd2937b56
SHA17ace2b64cc6f0d821efe73354883410002b622d9
SHA256c9762fe7afbcdd9ce841b2c898f42ad0ceb4c3d965a82405f8ddc458c20f8ac0
SHA5129c93508bc0976388949df5524e90b7ab46939b35ee746cb011b2f00400da79276b80043780bf01aef5e6fc8fa9613f22e4c2b12919668d38310d740e372a2d0c
-
Filesize
1.8MB
MD543ffc36193e6ac79623905110158fc27
SHA1ef71d136c676e635c0d9bc34c84f2fa34e2ff17e
SHA25687348a239d0c9168c9743ebb88cdbc1e5097d235d9e8de1f52ffc05bfde1fe7a
SHA512b505f3dd4573cac85803fe96962c0f688018519a2fda0ca053ae33d8c689bdfb1ba11ccb7f98072598911d46a21f882e9dd29bfdf28f26c8bf8e7b554d017bb1
-
Filesize
1.4MB
MD5b19a459f67badaae998ea140d2ee7724
SHA1d84b67becb4c88c48f571a381bd562a885848730
SHA25628c841d2f0f7c5934e1bb393eb567e40603ba3d3f8fbf619ed366c1e6917e298
SHA512795471348df8470d5f3b82a257148d22f6f636d35bda514d46447698ca235c3e75d0f3d6d8b41cd2f8e5c316a0b0d14fce04c66ba4b9dc542caf8e650eb7e6e0
-
Filesize
1.5MB
MD588c0a7ab684b302ffe4f68e3e37c4a98
SHA19f58e001e784688c133f6b01ddc10483b836e638
SHA25682e3980e006350bc21aa661e10b7b3d408c3716c1e7f6cf1526d30a75a33e634
SHA51293ac6534dfd26610be00ff2e3e9a4dbd4d95ef90b756d3ba09a91da2346a9fd8b65af759b1d86a4bc9977af5d30673d71c1911637bab8b78aa7c223785ff550b
-
Filesize
2.0MB
MD57e9e01f89238a68ec01091596c3afa94
SHA1da02e0f7bc82f2317645ca99dbe0fd3b6a5c662e
SHA25676376566c4f9be99426f51a917026e91d9265c4374286e479a401f39aaa497b2
SHA512f7fa59f530ad48f1f241367891e5ea72c96dd01693322b696cdaee874e09215681320a056a18e31dd6cddd5076ece7970fe3faae0e38c350486608a4d6365011
-
Filesize
1.3MB
MD58de42f360007fa54844332e98e1d2174
SHA1865842e7529f061927d569aaf296480362eafabd
SHA256b1e1d1d882cf2f8dbf72f1d6ab88f661783b4801059d9abc042f9e4ade34575d
SHA512faff873be993e5a21798fdb1ef649c343aee0191c44ab19f8848526835772f1d9865153acc73f90cf36dff9c02b429426f2f1506767da44389414b7d1550a5c5
-
Filesize
1.4MB
MD570d36ad73bfcec14501dc8c1b837b968
SHA1c40f479d7a465bd0b2f06ba297876e919d719f8b
SHA25686541463f910d70fef8caae5037644b8b7bbf62234cab589f3c62e8d0c19eda4
SHA512ec2d0de054a8829fd0b6ccb6b629695307622d0bc397a1b73211855c4ef720e497b4c42898077878f787bc56fc869aa564411cb09eca7469bea22c54e83d4558
-
Filesize
1.2MB
MD5942e32bb98fc2ea47af51d8433b4ad53
SHA1001c21c4f8463c55e4985bd19423fb0a2a7e07ac
SHA256477bcae3a98f347780b0d5d855b5f0ba1969a97fd83cca5b5a54fa8dba1493ff
SHA512605a64ac7f48871972e137a4c90319d1c61a73b8d5d58f47f703adc85340f409076fa1267ef73ef4b5589563cb2ae637f7a7880c45b75e7acdb9bdef42c0d3c6
-
Filesize
1.3MB
MD5936cf284c123b180a42f427262865120
SHA17f1b41770f01c1f2de6fcb96a61d96e08a708f56
SHA25634065d621bb33cdec51b365eb30510d3efe81d07b078bfd389699badd060a297
SHA512d47ebcf1c88ddefbbadc9563317da8a1808b8a2bb4490fc06f205ab963f4542da308593f0e58ad694f2f066b4f7a9f4d5183fe72f727e8c8efe5a00701b59e7b
-
Filesize
1.4MB
MD5c1210b42987151dcc4158dff83fb5f0b
SHA1c23a3240345f492d6adc5f0f2e01a7a8de6c0315
SHA256a139d3a7db4d5b769b89e5cfa50bf1faac2a41795a05a38cbd6277442832bd9c
SHA5125e9c338fc8195ff57696dc13e442f45a48800e14472d43af331a7f4c2f63cca482ba5f6075d97d9b0cffe6c3e64ff66b1bdc49361ae2a7145f4678a4c48e755b
-
Filesize
2.1MB
MD573e1c3ee65d2393db9a1d175b6d71233
SHA1d23d9cf10e227eae506e32fcc89e0c09d6515428
SHA256fb3102739989f9e818275a3f91748bd96b2275c01ea00dadb87d36bd50a7588c
SHA5121aa51c38fb52df4805cc0d580c9f52d96ba95516d79e57771d2324d72ce802ea19cb73a1ef77ca0c4bef27f1dc937065f40b5b4be3cea74d0a66d15adb6457d4