Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
04/05/2023, 18:41
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.TrojanX-gen.29310.exe
Resource
win7-20230220-en
General
-
Target
SecuriteInfo.com.Win32.TrojanX-gen.29310.exe
-
Size
1.6MB
-
MD5
3d1072986b88dc6184e40ba0df6acfc2
-
SHA1
3dced4443af3c9591c948c827ac5b02bd0d31029
-
SHA256
8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5
-
SHA512
6b072f7e1b617a1426faeffdc14b80259f2601f29f5df65953694917cfa9611379976424ec37ffe3d139f5abd1bff02146d968f6a47d96d57ab4de1bb32a626b
-
SSDEEP
24576:rPKokfY5HGAg4y2oLeeHlQFwSohxt3jIwYg94ZIgUZ8K5BEuww4sXpA5jp9DTS2I:LZWY5mz4yJSfu/9IwYgeJuw7sX0jpd
Malware Config
Extracted
darkcloud
https://api.telegram.org/bot5955632087:AAGbHX-YygFpBeOiEaTfH9CY-2MMNrZcY48/sendMessage?chat_id=865011046
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1500 alg.exe 1104 DiagnosticsHub.StandardCollector.Service.exe 5116 fxssvc.exe 3196 elevation_service.exe 4788 elevation_service.exe 4440 maintenanceservice.exe 1516 msdtc.exe 4380 OSE.EXE 4620 PerceptionSimulationService.exe 3420 perfhost.exe 1768 locator.exe 220 SensorDataService.exe 2344 snmptrap.exe 3424 spectrum.exe 5036 ssh-agent.exe 2448 TieringEngineService.exe 4416 AgentService.exe 1128 vds.exe 2068 vssvc.exe 1488 wbengine.exe 2736 WmiApSrv.exe 3976 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\e1f82809ea807a0f.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\msiexec.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\System32\SensorDataService.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\TieringEngineService.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\System32\alg.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\dllhost.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\locator.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\SgrmBroker.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\spectrum.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\wbengine.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\fxssvc.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\SysWow64\perfhost.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\System32\vds.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\vssvc.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\SearchIndexer.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\AppVClient.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\AgentService.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4352 set thread context of 2828 4352 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 91 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\java.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\7-Zip\7zG.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe SecuriteInfo.com.Win32.TrojanX-gen.29310.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f28a1b05c97ed901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b371dbf9c87ed901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a129e03c97ed901 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071f44404c97ed901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3bc46fac87ed901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bdaeb7f9c87ed901 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c4d4d00c97ed901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055d53a02c97ed901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe Token: SeAuditPrivilege 5116 fxssvc.exe Token: SeRestorePrivilege 2448 TieringEngineService.exe Token: SeManageVolumePrivilege 2448 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4416 AgentService.exe Token: SeBackupPrivilege 2068 vssvc.exe Token: SeRestorePrivilege 2068 vssvc.exe Token: SeAuditPrivilege 2068 vssvc.exe Token: SeBackupPrivilege 1488 wbengine.exe Token: SeRestorePrivilege 1488 wbengine.exe Token: SeSecurityPrivilege 1488 wbengine.exe Token: 33 3976 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3976 SearchIndexer.exe Token: SeDebugPrivilege 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe Token: SeDebugPrivilege 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe Token: SeDebugPrivilege 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe Token: SeDebugPrivilege 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe Token: SeDebugPrivilege 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2828 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4352 wrote to memory of 2828 4352 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 91 PID 4352 wrote to memory of 2828 4352 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 91 PID 4352 wrote to memory of 2828 4352 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 91 PID 4352 wrote to memory of 2828 4352 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 91 PID 4352 wrote to memory of 2828 4352 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 91 PID 4352 wrote to memory of 2828 4352 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 91 PID 4352 wrote to memory of 2828 4352 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 91 PID 4352 wrote to memory of 2828 4352 SecuriteInfo.com.Win32.TrojanX-gen.29310.exe 91 PID 3976 wrote to memory of 740 3976 SearchIndexer.exe 118 PID 3976 wrote to memory of 740 3976 SearchIndexer.exe 118 PID 3976 wrote to memory of 3308 3976 SearchIndexer.exe 119 PID 3976 wrote to memory of 3308 3976 SearchIndexer.exe 119 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.exe"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2828
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1500
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1104
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4852
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5116
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3196
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4788
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4440
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1516
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4380
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4620
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3420
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1768
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:220
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2344
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3424
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5036
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3720
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1128
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2736
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:740
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3308
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5f0cd556e7fdd5a7b20d073c5dcec49bb
SHA1b0aea6e522a1b3a93e3da70ab97e6eb0623d4f0e
SHA256179a952f36bab453b782d2082795c08f760a3d540cb9d9a8725a10054f9d69f0
SHA512beb358e4006e388392b8eea5bca398f4a03be243c63a94f70890d6a284775b1f817677a2e46e9ba9554997a73e6b879d709a76248b96d7d90e10926cbb967bfb
-
Filesize
1.4MB
MD570e8c2578e700d6ee1c0b1f0f716da22
SHA1bd1b5177ed6bfa988be24cbb9052b52d964bd9c0
SHA2567cb70ced9587af307cc958cbf648c8684d60d6ac58c981b63a46efef8477ff72
SHA512bc1d6f7f5edbb6b9c00ad89dd1e124c9f03f4f164c8e847710bc421b9dfd9b53f26ea25aa160cb63c9ddb8acada5a6c79ff0d332b25dd487f1a2a623f8670fa0
-
Filesize
1.5MB
MD5447251acb48b5f8a1c9224f69434d070
SHA1f63619f3665e89a3e87f4cd83cdb7a0553b5a1b0
SHA2566869dcb707c8fcf70986e8e4ff6fc6c1e033c49de0b2b1397ce8234e0d393308
SHA512f683eaabba30de91ca491e890414f40de4c6d398f6e11b085c74c45e5a1164ecd3fd7a6a8a7b8d683e3ebbd22702b22870b6b7f43befe328ce6def1a8b05f263
-
Filesize
2.1MB
MD5c9740e060c740c8a9b756d998cd34481
SHA169955a48d7c5698a4a5b475320621599b52f70c5
SHA256625492947cd057e53bee6736a060eb39225ab542a833109f2eaa5e6fca6ae210
SHA5129eb6b2034b95ca94170bb227eec16b62a3b88c7e32c77db57ce3c20db474dd788687629ae83e3a5686a260d4cb5ae7a7a0b718be5d90b2fa4c92cfd907bae83f
-
Filesize
1.2MB
MD5755beae15fd9e72a7af70367bb37c736
SHA110603ed3ac8da3eb0115d86936d153e275e22bbd
SHA2563d654970e53604a5ee5b66f2746f0ee5c836ddc3b11a26f208d4e4a87a735590
SHA5125333e3cfcf4445ff3059212a2e84388ff15f02e4749097562397361c558e5d6eb73c6962d128ff2e377c3efca8ac59d0f859892345c6e967320930630b38de26
-
Filesize
1.7MB
MD5c79474b28224276444844f3c7235112f
SHA1c5efeb17d7c95093aeb7549a6be23ebb16d0962a
SHA25650251a2a85e0d7889d22544e7852e5e5b0a8a8b1170f7581e986a06a98265048
SHA51224379701d910ea67019b46c88734b08bd78cea96a79f404edb403509b4f5003c5c9197abbf60c3885773b2d4f04c999da2376ee7ebc01b40cb4e32499229ab89
-
Filesize
1.3MB
MD53a379e6c34ea5537bf5c5cb4ab478e9b
SHA10d85420ecb315b42e4d1d183f6711cb105f60f78
SHA25681f924e439027dcd0eb9bfaca55466fd25321b37710f880559d8757d3251fb0f
SHA512c0471bbc12459baf0511c9ebece5f10fa49b1a3da12a12825f413226cb5d4d6ca109a9626c36de26bf1863650d32d7265d056f6fdbb5976bf6f19da3e7a33ecc
-
Filesize
1.2MB
MD5411cef66dd788f4fa6b02ad7b7fb7c24
SHA1244f38dbfeed501a61293b29f35e51a64b3d2199
SHA256bac01a93aa604d97a00c3b51e04f63067ea3aa9a0b83026a8a0c5e285436c107
SHA512247b3657c96ae66e76468b6412b5fcab6ff104ebd55dd2b7dcf80488af2a08845d4574f2d537e94dd5ba311724a458fd2c97dea93a95173ab9d5c4412e7e9d86
-
Filesize
1.2MB
MD59f427d923795f1a280c39985f6c09273
SHA15b7b3a46ddf15f52bd4256aa6bd9b6797e2a9fb3
SHA25604bad6630f0be5c47501761c8458e195440b6b1af6f266b2d8b9dab76f12ef72
SHA5121fd5828c6ed5dadfcac3e92aa022ffaf8902aa44f08efcdc5d96228b5c268d3242bbf236f9c9a2db36a28fedbebd6cb7a363dd67d82edb4ef6cc3e3767702978
-
Filesize
1.6MB
MD5eb3815cc7b7d46341142d711eaa9f261
SHA1bf4263be971ae7ca3827cc55a3ed770b17993f09
SHA256697e3741563ba23be5173c7bad6167432d8ff0535fa5e943ab4954a27ed10113
SHA512b17b252eb245ef78da15a8a3f74baca99debd6c40b3438eae37102e3c2660ad6767b8fcc39f1516e684913842faf633ad5b35431e69ff6546c839d322879220a
-
Filesize
1.6MB
MD5eb3815cc7b7d46341142d711eaa9f261
SHA1bf4263be971ae7ca3827cc55a3ed770b17993f09
SHA256697e3741563ba23be5173c7bad6167432d8ff0535fa5e943ab4954a27ed10113
SHA512b17b252eb245ef78da15a8a3f74baca99debd6c40b3438eae37102e3c2660ad6767b8fcc39f1516e684913842faf633ad5b35431e69ff6546c839d322879220a
-
Filesize
1.3MB
MD5114ffd6d8d10b8db083720695419fede
SHA1d8d212c3c00bd231d0f3275948aeb5be1d3139bd
SHA2562ce9996beaf5a542b915b5582566786da2234a9ebb54eb57e241d909c54f210b
SHA5127a9af24d850dc4e69cddfde48e41e842e1c878cd43fb10cb79f1f885617488973b5145683a0dfe9eeabdbe7722b06ff3939e3f1523bfe8bd96699f70491b28d0
-
Filesize
1.4MB
MD52910dd93260a068251ae043d67f7e36d
SHA1eada79e768678b999bd12566ad8000126871a2f4
SHA2563b9af1867b7b8797089f4a48f6328074a61cc08f634e45ba6a35e3f84734e1a2
SHA512a24ace88417b8582f80b6d7eaad5329030c7301bc3db9acf0d9bc3021c484717f9ff8bc0cf64b9181bc2befc9354bf0d2299180ce53b08b431758881548ca2e5
-
Filesize
1.8MB
MD5bdff67b4622034f947be5ddf38fd03de
SHA1cef460de9a90a78eb3af863f72350b289da1c8b2
SHA256ba00dadddd0bb75926ea5ef48e1bde921d6f709252a4f11f26b3141caa467889
SHA512e112e4442f2ef2b33eeb4a60637bd95648c966339207609dbbc2eaa81555a0cf4d24964d6e781dcb2b012398fc49972d052904b4bdf91b2ba7662451e75c936f
-
Filesize
1.4MB
MD5c6066f1b9c3b7cf26c9b20435c2e8f79
SHA18edf7122f3d00d408e7c133c238316af51877394
SHA2567ae08f3501a5e2ff82ac44d8b29093378f96d487108a0c10ece07744bd76dfa2
SHA512ebb42f593112b2ccd30114f917966719353ec9bd1a52fd39833bcae524ad29c55b1c4393985b958bc301f141db6dfaeb90c6d55802c4d5a27e30d90787f225c1
-
Filesize
1.5MB
MD5de279b3938a87f72ca84be6f50609aca
SHA141fd2211346ff3439f390bae995272a768b4f15c
SHA256586ffad8b3ed1d45f57d0cd8e44987df2dc9b7fa98a8f6feeea617092785af33
SHA5129b68ae6804898255f3ae43a5460b01cbf0385eb6218ed7e8b67c34050ea65125cc8f0e20f8e57f49cc423ae11249e50b8b8c36f8aeaee42fa2ec022229bd4d6d
-
Filesize
2.0MB
MD580a38f93ea9d9cead175d5e375ae6275
SHA1d05a0dcacf5bb4e67f5f7b58bd59d1f14e8c8b7d
SHA256c745265038fe83be885559619f7ce3d392f5a006bf09b59daf5b9c9566aa71d1
SHA5123d93890dcd7e6ebbcad43ed3c992cfd6488fcea881837dc9408b34841144f46496a06c62632f31fc322672117cee3ec0142f54362aa71a064ef062d45404924e
-
Filesize
1.3MB
MD5f7f8bd615cce378fcdb77b5077797dff
SHA15bbb33c6a87c242c4cb7e2979693beffe7be3d8a
SHA2563a04dc8e9128491b2050f48ecf2424234477e443438d8314193ae9f90b86bfda
SHA51275feaec5c57b8bcf1b9ce11be0dc927f94e506f7fef1ae86462670a6aed10218f9400176ac9e6c79a7e367ea33c09eb1c272e1ce8369bdbecb40c1eea0e55c52
-
Filesize
1.4MB
MD554e3ba2ffdb2006acf456f3a4fda275a
SHA117c8c48177cba3d53670d179cf362f61f92f66c4
SHA256ca1aa62b0ef716d2a489676b21505268320f6e0da39af60d87f0091fd266525e
SHA512a570f93f0388369c1b9ff0b266d573de8b82f36d6c757e4d2f2bd946db623aa631e00e4568168032a2c81395a1e9de26df3c9d37055beca0193f1726f3aef6b0
-
Filesize
1.2MB
MD51cad532b9cee865834dff7c3a00b20a2
SHA168bd0ea8ba8e8336b32d0cc58cae92d0daa6ae8d
SHA25610a7c24f55fac953ea0103eec02838711f51c9da97196f487e7ff74395a81352
SHA512feaba5c6be953c5dabaad0e7d6822e22b32b226c8041973d10c621f9728dc5af540998827eefd964899af82174b98760d622b9852975c1664ce749fb1b65fa2d
-
Filesize
1.3MB
MD5be35d9b92d07fd2402b747d8d2ba59ea
SHA1bde531673d18bccdc28c4c1b5afe53b760ed5cec
SHA256864cc9d944d33db0b98db8c4ab928ead01c7d7031d858222d3312b9dfdf9d60e
SHA512c2648ca48036ce1ebd7fed5fa5f7292406dedcb62c2882eea5899fb6745824ec59ddb5231caf99bf75b505479547efeb405293288da1ed293f95995a47fa2583
-
Filesize
1.4MB
MD5c0f4dcdc843f998d09d3ad85a98511fa
SHA13a5bdaa4ba73b2c1a6cc164d72a4901c6c6fcbee
SHA256a0bb924dc7dd8427e13b637bafd10bdb40025cfc9ef4a058db8ecfca392d8786
SHA5129b308f0281a33070c3dd447e53e0cef78b66cdd836a7ae29fb3d2e35b7558d8997a3e21f2b068e6abbd5df86e17c07c523568695273af91ace90b47451b75cfa
-
Filesize
2.1MB
MD55032b5c071f914ec06eff41b50307a09
SHA1ab76bcb8fb9201cf05ee532c075aa5959fa8a323
SHA2562b8136b938528d44c3505b343aca54dfa51dceadd18b68d7105ffc9257e87744
SHA512992812fd9cf2bb103d348c93d5ab8687f92513a7e8395eb1f5b69addbcdaccf7aa3a007c67c7d863cc14d68deae92b3b45e9d778f208b5ff8a9519c99541df9d