Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 01:02
Static task
static1
Behavioral task
behavioral1
Sample
4a6385a8e80d79930e8b6f85141b1b3f.exe
Resource
win7-20240221-en
General
-
Target
4a6385a8e80d79930e8b6f85141b1b3f.exe
-
Size
5.5MB
-
MD5
4a6385a8e80d79930e8b6f85141b1b3f
-
SHA1
a15a08ee419f1a40f81d5284aefe6796f02b106c
-
SHA256
ea4419a9004f3a68010ae436b33bcaf3450418bc90e3f9384ad83200cef9f095
-
SHA512
92af17a0764be587d8994b7e3cbe262a16f486a8f956a9aea7987da0135903381b11b51b71f8616ed4bc68a2e76ea7846434ead4648d413caebe0231d270de48
-
SSDEEP
49152:fEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1cn9tJEUxDG0BYYrLA50IHLGfN:bAI5pAdVen9tbnR1VgBVmx8t4C7
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 1548 alg.exe 3776 DiagnosticsHub.StandardCollector.Service.exe 544 fxssvc.exe 4596 elevation_service.exe 3472 elevation_service.exe 932 maintenanceservice.exe 2980 msdtc.exe 3848 OSE.EXE 3756 PerceptionSimulationService.exe 4480 perfhost.exe 3036 locator.exe 4172 SensorDataService.exe 2592 snmptrap.exe 5000 spectrum.exe 2624 ssh-agent.exe 4856 TieringEngineService.exe 1288 AgentService.exe 4876 vds.exe 1740 vssvc.exe 4644 wbengine.exe 2148 WmiApSrv.exe 3184 SearchIndexer.exe 6008 chrmstp.exe 6132 chrmstp.exe 5296 chrmstp.exe 5388 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\c2f30e28293b476c.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\system32\spectrum.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\System32\SensorDataService.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\system32\vssvc.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\system32\wbengine.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\system32\fxssvc.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\system32\AgentService.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\System32\vds.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\locator.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\system32\dllhost.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\7-Zip\7z.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\7-Zip\7z.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 4a6385a8e80d79930e8b6f85141b1b3f.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bede559088b4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d64f799188b4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005146479288b4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ee5259288b4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047b99a9288b4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008482239288b4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 1552 chrome.exe 1552 chrome.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe 3776 DiagnosticsHub.StandardCollector.Service.exe 3776 DiagnosticsHub.StandardCollector.Service.exe 3776 DiagnosticsHub.StandardCollector.Service.exe 3776 DiagnosticsHub.StandardCollector.Service.exe 3776 DiagnosticsHub.StandardCollector.Service.exe 3776 DiagnosticsHub.StandardCollector.Service.exe 3776 DiagnosticsHub.StandardCollector.Service.exe 1556 chrome.exe 1556 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1552 chrome.exe 1552 chrome.exe 1552 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3912 4a6385a8e80d79930e8b6f85141b1b3f.exe Token: SeTakeOwnershipPrivilege 4516 4a6385a8e80d79930e8b6f85141b1b3f.exe Token: SeAuditPrivilege 544 fxssvc.exe Token: SeRestorePrivilege 4856 TieringEngineService.exe Token: SeManageVolumePrivilege 4856 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1288 AgentService.exe Token: SeBackupPrivilege 1740 vssvc.exe Token: SeRestorePrivilege 1740 vssvc.exe Token: SeAuditPrivilege 1740 vssvc.exe Token: SeBackupPrivilege 4644 wbengine.exe Token: SeRestorePrivilege 4644 wbengine.exe Token: SeSecurityPrivilege 4644 wbengine.exe Token: 33 3184 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeShutdownPrivilege 1552 chrome.exe Token: SeCreatePagefilePrivilege 1552 chrome.exe Token: SeShutdownPrivilege 1552 chrome.exe Token: SeCreatePagefilePrivilege 1552 chrome.exe Token: SeShutdownPrivilege 1552 chrome.exe Token: SeCreatePagefilePrivilege 1552 chrome.exe Token: SeShutdownPrivilege 1552 chrome.exe Token: SeCreatePagefilePrivilege 1552 chrome.exe Token: SeShutdownPrivilege 1552 chrome.exe Token: SeCreatePagefilePrivilege 1552 chrome.exe Token: SeShutdownPrivilege 1552 chrome.exe Token: SeCreatePagefilePrivilege 1552 chrome.exe Token: SeShutdownPrivilege 1552 chrome.exe Token: SeCreatePagefilePrivilege 1552 chrome.exe Token: SeShutdownPrivilege 1552 chrome.exe Token: SeCreatePagefilePrivilege 1552 chrome.exe Token: SeShutdownPrivilege 1552 chrome.exe Token: SeCreatePagefilePrivilege 1552 chrome.exe Token: SeShutdownPrivilege 1552 chrome.exe Token: SeCreatePagefilePrivilege 1552 chrome.exe Token: SeShutdownPrivilege 1552 chrome.exe Token: SeCreatePagefilePrivilege 1552 chrome.exe Token: SeShutdownPrivilege 1552 chrome.exe Token: SeCreatePagefilePrivilege 1552 chrome.exe Token: SeShutdownPrivilege 1552 chrome.exe Token: SeCreatePagefilePrivilege 1552 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1552 chrome.exe 1552 chrome.exe 1552 chrome.exe 5296 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3912 wrote to memory of 4516 3912 4a6385a8e80d79930e8b6f85141b1b3f.exe 83 PID 3912 wrote to memory of 4516 3912 4a6385a8e80d79930e8b6f85141b1b3f.exe 83 PID 3912 wrote to memory of 1552 3912 4a6385a8e80d79930e8b6f85141b1b3f.exe 84 PID 3912 wrote to memory of 1552 3912 4a6385a8e80d79930e8b6f85141b1b3f.exe 84 PID 1552 wrote to memory of 4380 1552 chrome.exe 86 PID 1552 wrote to memory of 4380 1552 chrome.exe 86 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 1380 1552 chrome.exe 112 PID 1552 wrote to memory of 4744 1552 chrome.exe 113 PID 1552 wrote to memory of 4744 1552 chrome.exe 113 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 PID 1552 wrote to memory of 3264 1552 chrome.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a6385a8e80d79930e8b6f85141b1b3f.exe"C:\Users\Admin\AppData\Local\Temp\4a6385a8e80d79930e8b6f85141b1b3f.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\4a6385a8e80d79930e8b6f85141b1b3f.exeC:\Users\Admin\AppData\Local\Temp\4a6385a8e80d79930e8b6f85141b1b3f.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2a0,0x2d8,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9272bab58,0x7ff9272bab68,0x7ff9272bab783⤵PID:4380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1908,i,8879763321653878055,3327474905912599471,131072 /prefetch:23⤵PID:1380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1908,i,8879763321653878055,3327474905912599471,131072 /prefetch:83⤵PID:4744
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2156 --field-trial-handle=1908,i,8879763321653878055,3327474905912599471,131072 /prefetch:83⤵PID:3264
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1908,i,8879763321653878055,3327474905912599471,131072 /prefetch:13⤵PID:4348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1908,i,8879763321653878055,3327474905912599471,131072 /prefetch:13⤵PID:1960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3684 --field-trial-handle=1908,i,8879763321653878055,3327474905912599471,131072 /prefetch:13⤵PID:5204
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4504 --field-trial-handle=1908,i,8879763321653878055,3327474905912599471,131072 /prefetch:83⤵PID:5712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4112 --field-trial-handle=1908,i,8879763321653878055,3327474905912599471,131072 /prefetch:83⤵PID:5720
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4740 --field-trial-handle=1908,i,8879763321653878055,3327474905912599471,131072 /prefetch:83⤵PID:5752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 --field-trial-handle=1908,i,8879763321653878055,3327474905912599471,131072 /prefetch:83⤵PID:5844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4480 --field-trial-handle=1908,i,8879763321653878055,3327474905912599471,131072 /prefetch:83⤵PID:5940
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4112 --field-trial-handle=1908,i,8879763321653878055,3327474905912599471,131072 /prefetch:83⤵PID:5992
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:6008 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:6132
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5296 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5388
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=1908,i,8879763321653878055,3327474905912599471,131072 /prefetch:83⤵PID:5504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 --field-trial-handle=1908,i,8879763321653878055,3327474905912599471,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1556
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:1548
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3776
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4984
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:544
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4596
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3472
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:932
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2980
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3848
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3756
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4480
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3036
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4172
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2592
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5000
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2624
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3372
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4876
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4644
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2148
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3184 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5012
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:5432
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5b9daa7cc5883090ce252356238d60590
SHA1aa04ffef7657994f01e662ed77650d6bd94b14e4
SHA256bdfe582819ec6ef77930a5975da3249e371fe5f44c1a3471eda1dc6cf7cc58c1
SHA512f2bda1f1bacf536eca97d80caffb0441f57a541dbab1cd5867619f3e14deb03b889462642425788e1dc92c5a8a92fa07ae8e829a35b47f901fc717307c989216
-
Filesize
797KB
MD563e468d88102690e966c6ebe454d0c8c
SHA1c58d55e3775c075c978b7fd0bdedc26fa2dcd918
SHA2569c067faaa50224c8396fff70d2617727fc4ad5cc038b1c4286dc1a72d92344a6
SHA5124fca905501066d55b7abf7e7d29d105e5f08bd5c8e49a2492aee62b1db8e14f1a511b675792d2abe1e3ba3a2eae152fda995cc07fd7c3f55e954639ed0a0b02f
-
Filesize
1.1MB
MD5d9fe68a89eecbc636a26a219fb42f42a
SHA16d1187a095c82fa3ee1e9ddc3b7f0b42a5a410cf
SHA256e94671fef676edea6fd16a76945c5c6c1d4646ba789ef31e79c44ec92591ff18
SHA51245dc1784ebd8944c60d9b3fe12ac138de1eb51019c490d38bf27f4dfd3a24711c960d5095177fcf8ee4c3030a13c8f10bd82ac151166790cd24ebbd0ffac401d
-
Filesize
1.5MB
MD5b14a8a54efa9ca6ae7b3f42e1659eeee
SHA1a961d3c8734e9ee5b7ff9d15fcec43ca92cb6b8a
SHA25608d8f053bd54f238d2bc07209abf80606ac3afee45ac735dcc901b8bd75401c2
SHA512645c2b2c440a7bbe74746f11234c643e25d0ddf0692d18b7afc6c6c9ff3b90b83bb7f9796069e7d472e98d6998046e016af139515f5e5fd9f824b185c0395a51
-
Filesize
1.2MB
MD5f817a42ccc51217885b39796e43daf8c
SHA1d3072e7eb3aeb03845aca5833cb6ecde61ad17e7
SHA256be9a9765edbc8ae0f2b1189872cdfc5ec795e2fde37279b43cd80e2784897c3f
SHA5122dc92ab414f6d0526bd2265a329504635eec3994be6df69e789bdee54518437ad1d245d503cf0703b9fef0b8319d2e1cdb6f2473ffa82b9fe54ba33cc4ca6386
-
Filesize
582KB
MD5021587b796c42d5bb5b71361ec31e556
SHA17c5131ba8030dde35807caa7d07bec6355c6361f
SHA25639276a76fe6fd00b6e6d5cc125616a20075138c1e9240248db868c3e0f533975
SHA512097693c6abb506393f3d1a4582aa41b8680d7790e58b8066570a995cb5024b7eec34fd9e2894297d601eecca02f32579545ae6980af5f42f554ea0b7a9d5fd4c
-
Filesize
840KB
MD51f10a4c0f297b289a2f37a464f6c74e8
SHA10456a3ea118141e43aca799c569d5ed51bc10d07
SHA2562071f5b1e129f56c16c8a01fe27d643511fe0539090a0d6b847c97c417aab3f0
SHA512ea05da1be67fbefa6b9bdb79151cec3755c4ecdb663eddfe46625bb4bc02e0b06366202f4f791436d7ab8cb08d92abcb28b25b7db09dbc50e8a0a7fb7c41be71
-
Filesize
4.6MB
MD5671300a949a6fb8c8e3ff061b815dc5b
SHA1bbd8f5ec49558c61debf15bbb57f2112146dc3ae
SHA2562e86b3c49fe5c313c004d0255086b12cb5f18cc84e295e6dc0fef748cc77a796
SHA512a11fb42e929937b05bd9597a5c9cc2713e661e23feadd21b0555d1d41ca98fea3056576b64b03968a7d211d340241ebd63a662fa1e73382860a0f8bdd32fdd3b
-
Filesize
910KB
MD508a682bfa3dd3d2e34fa9c8b4719a9dc
SHA136a06872d7db63fedc3406f04a80c7285e8c0b95
SHA2563baa1aa131c0fb98cb24de889ed6871e6998f6c96f78ad1685aceb18bc917ab2
SHA5122e354b36c1d4834a15fac992ecf7b5d767c496c7588207e35d4505b0ff1ccb80b461713e59f2069e8a236a59cf6736bdbd32a8244fd8e093fe116554ff40e9c3
-
Filesize
24.0MB
MD5d57e3e5bd7ad60901c67e443271584df
SHA17bac720ec7af92e658ea724f91511b53987703a4
SHA2563d460e1cd18e10809781a7f7ef3503c7b8711859ae48f7ce64b15d214d8622a7
SHA5127cb7d0dd9f2eb767fa95bbe1c5a12d494df0f08c7cebda8c850c898b593c407975f97fab8218aca79eeb5991cd17b8f30c6c56ccce115a8c4fc0b7b24aef26bb
-
Filesize
2.7MB
MD5e721f11d47ecc00fbb952ab1dceab9b7
SHA106197229651b1b0c989e246b47d1bde067f274a7
SHA2568d3c22052786f394077fed85dab20494cd895c44cc1eb18e9bd0fe65fa71348f
SHA5129f5a8ccbdad4f5b5e42b49e5380b1dd3aa403f6e22233a0822dbe2b64c743711e6552c21b1ff0c0e537d4d369ed17294b204a25c7751a17b9796f51a283d37f5
-
Filesize
1.1MB
MD593aadd87745e24fbdd1b38a2452afdbf
SHA1a30692a8b94851661e1f8dffe75fd27bae0f0dbf
SHA2569fb594999145a105b832c9073b46be45c159cf471bd830786a9012e0c8de53de
SHA5122c40cc5f35a1230f78adfeb6ee3af8720a4da0730c18439fbe3428fc5e6af36d2b25e0f4072c4450fa9f5e35933cf6257a600023ad81cbeb6d0fb4ac0d6e24a3
-
Filesize
805KB
MD54d373d6b931383870b04496a5d5415ad
SHA1044e554fd33568f1332bdba9c12cc6af1eb3727a
SHA2563bb81eee0ba08b6a9b5f35c3a22159a08008ce7821d690392ba3b15851d82865
SHA5125a0020157b8682768908e9eb240a3d5a9352cb6f0ba6b1a6b033d909b9b45ad69ea5a0f8655260f7c8b07d6424df4d5e9f8eda0d63885ebb72a0eca988cb7f88
-
Filesize
656KB
MD564501a67f13c9574b7df0c5e368c991a
SHA15ba40249777fad5cbd0a5c9b6a75a72eb69bf5ff
SHA256ee864ebbd79ed043890ba2ab44d38f9c5151b9f4626e6e3c1d5b6c37958f6475
SHA512623a9f90f740bd530a6c781fceb8e3e4466110f1fe58edfdddaedc4ee5c1ac535f9c151b3f474855021759ac413000158b225d73a1302f4bc57af3b550e0d2ba
-
Filesize
5.4MB
MD57668845279845e4d7bc30c300a0ba3ab
SHA1edfa523db283ebaab09553c3d92427e717b89546
SHA256dd1188da62fb23e918dfac2ce42b492e0ffb916f625e32eee5d4469dd2a07ea8
SHA51291c06f33165ef0208827c29b10ba0afe559264e1731100c7238a1f5776e056e727d7685d65344b09f57c13e4eb6f52338605aed54e6555a3ae7812086c6bfa68
-
Filesize
2.2MB
MD58aad5ebfac8b8c46dfa788d3569b46f5
SHA182e9c63e868bf5514df881db429bca1cfa66f777
SHA2568bb58d2f2350261a6395bbbe5d02a19453537a715e9c7edf1253da246d0bff47
SHA512485578479b662b878efd245e9a461034b35511a02a51b07d8c283af201ef4dbc5ea3fc0a7291b01106740e8cc3b2394e5b592bfea9dc38ef694e172805652fff
-
Filesize
1.5MB
MD5199854dbc6b3931e692241d9f6a0516f
SHA19a7af74fcad016232162a44c47f84b81b0d8ea08
SHA25622a0e76b12dcd477f93175b5fa9c7cdc98da8541fb670be57995a43e78ee932e
SHA512eff484b4a128081e9f5faf3c2cc75f354c712d663b42d3c92e512355d24d7218430f4add0e8308310ea52f8998bbcc82e8676bd2fe40cdc518d911196692c561
-
Filesize
40B
MD523e6ef5a90e33c22bae14f76f2684f3a
SHA177c72b67f257c2dde499789fd62a0dc0503f3f21
SHA25662d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790
SHA51223be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD537f47aea08f5105f8ae4bbcbb2759a4a
SHA165afa0ecce419327fcaed138cfc09b6771035a91
SHA2567926dcf9fd9282bb2928b57d05aa8888fe953231906f386c206118d72e7c18c4
SHA512b8bc40cd22709dea4ce0492bac047fc8f1095e57eb9eb265185576fa6de528af562732e1b99ea8eb3d68511c53791c00b473f69758f1c9c876b570ce0fdfaf8e
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5b827754f456c17abb8237e311372e248
SHA12f0757548439b589e2c1cae7cd448e161f9dc6cc
SHA256df9124c42ac1a5c9cc0604e759d53532be714407b2451a9d54a0e7cf80423599
SHA5129714723bb7d515a5f3c17fbc75aa4b84be822b6dbb9a1beedfb12bd73c75848274fc1752c96baf041dd25f5c3b3ad6a517bbf7983a6c5d7dab6f1adc87984ef3
-
Filesize
5KB
MD5b6b48e99e3edcbf20d62dd4e2d82c513
SHA13be11a32d8cf194d840979a115eb7d5ffc9caca7
SHA256d66e1f2964b772d09b9a1d5b67d3181d8c275aabd9172a2a3d5087d3bc5bf1c0
SHA5122481e3a05c70d54f9d3c8b2f06e622a3bfff1bd80e698def6727d8c8cc73e3888c691b1db5ef32d8ec5a73aa61267ef088e4746ab35b65e243462b73abc973a4
-
Filesize
2KB
MD58441fa327ce1f6c12f371a1535e655be
SHA17ccca62179f1eb9a2d47c3886ad8ad4bf5b15071
SHA256975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158
SHA512986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4
-
Filesize
16KB
MD561c229d7b97b4ddfb4c4b8e27b893456
SHA18ffe3eb01e4b7940fc6dbe3f0db9cbd87662a641
SHA2567031157fedda35a4683ffcf2a1c6d5ee7caf33c159d5e5b9789dc77d48d6a341
SHA512f664c68ba1924000803c593b1a947ca9f9bafcbcabfd722c4269bd238c9d06599dceb36b90be6836933f8b61744ce67f1a59d74b6352903c0b54d3bb854967c7
-
Filesize
261KB
MD51dcebc575da1ca827e6b638f58ae75f5
SHA1026c7b4be53a6548651c8f5eb9dee521f6d8ecc5
SHA2561f1a16bce44857640d716bf22b7abb08908b098e703c4c97c7b71a484fccd4b4
SHA512a70294d1a40ca8fc4d39cf0e2a529cd7bdc09ca573c786d232c34e060a9ea9bd9c74f2d8e16586db2fc0851a29d141484f7f9666d1770ca70a858ede40410bcf
-
Filesize
7KB
MD5ef11e4e88d048dea2f87c88b9fd58c3c
SHA1713cddcc2e93071b70aae99402387226fa6caaa2
SHA256ba62ab38183b0247a460aed087831893b620ea330816f9b36124059d5a684a79
SHA512e1d8495698e074f042262dbd88e22de8f7a182220c807f5c6acaa7bcff840b5946693ba784b14857936c9ab2b62c93a1d1ed6aa60eeb788a8366bd782f4853ee
-
Filesize
8KB
MD59e83f837629a6f5bfc9d39e7cfa9308c
SHA1b2e2b3f188d8ce13add5d8ef546d53cf1578ac1b
SHA256e82d652b2b1ce3f1fdb448d2edce6def1cba1ef8e12c6b4cec7805dc3fa4a211
SHA512440dd04bb6acbf76249c11ad997c2db9bd91b749ac4230ab86d59d809fb7271d53e344c0dbcfa53f6b9a5ef601b307c10dc4f59efa7584857338ea2efb1b7b37
-
Filesize
12KB
MD54584c53565d5625d5b6f88ed2e999022
SHA1e227e625a8a17713d606c99bb76c13a849ca0a65
SHA256076b43d76c375fc88fd0a483baa5bcb1ac8c0616d76359b9b6cde2378b4f732c
SHA512814e27fb2538570d3b56d3beff0f6520d74c0ae058cae7eb3b6ba1f81ee1821e73998d531b328a1491a9d20f99ff1a8e14b6946a52ef1aeea9595ae931491c9b
-
Filesize
588KB
MD5f03bf0dfdd8d5adaacb1beea4e205089
SHA186e10dc7474793ef758943be63cd44dd58768475
SHA2561838d5a683edcb5322f250f048f0ac32948b2745fa619ea5ef950f4dae6dce4c
SHA512fc29e419c19938bae72b2e517178d5a72f9c0dcca779976a0ed73837bbfb583633e9509cf1bb3ffbeba8ea05898b42c4cf21b593e16fad5c242cf8b7f4eef872
-
Filesize
1.7MB
MD5d997d58d18657e476b7ec2002f508f07
SHA1aac452caecdb0b92073ed206f0f623ecafcfb73f
SHA25654e1e2a6ff952f7a94e064c1dc8f66f15a3ff37d12feafeb67b635cf98c4028b
SHA512ec5455a89e92760571c4201f3f5e99126c3622fefe02513a3506ca955a8788242e335eb16566941d432295ba91bafb41f8e93a1ae81ba8741f4cf248bfc38bc7
-
Filesize
659KB
MD58fe989682c799eb7232f4530c9733e53
SHA1d444b84f028c5a2497b44ebd2617118f08d868ec
SHA256febd8a1128022060d94231c3e2731fe09ad513ecf58bf125ac67f5d6f0670c8b
SHA5123417c5c804040e9a49470b1d792ecb11c9644ebd1448fd4d27f475f1715cfaa846ccd40c37a93333c2093db51c48e3f0d6e98ed8a430b5f0f9cae33e3dd55aab
-
Filesize
1.2MB
MD5fa7924ca7b7c1750ac474fe2a33ea2f9
SHA1089642abb8c1a4968c906d293bb5fe1b4b8f54e4
SHA2566d5fb86afd97b5e6fa79cd6381edf77ac77ef98edc199af3510637933373c660
SHA51256216aab464f32d8215c28792853d8cc2b72461b4241257653c14f9556016ce7aeef07619245df5b70202a6b9342fd14f342a2f7ce0b58d9a0be429be5c960c7
-
Filesize
578KB
MD526c741d70d35d9f4397847ff58ef5726
SHA147f28bb0219082c97b3b29aef896474af69b04e6
SHA256ddc43273cd0a6ff0bbfd997a45648866f443432728f300336f08dc11c0f18248
SHA512e5faa0c9485ed78611a51e6b004e1846dd2c6ea84605ea18a20c6f32c40aaf2fe761bab87e800c1a1efd0f9c104cc586e99259c6d58b4592032e24c58d69a843
-
Filesize
940KB
MD5239f98dc8b6de523969ec6ee28c66433
SHA111b9e8723376e6bba29532e12115b01a11d8db7e
SHA256f5d0460bb7c4b589e2fbb360b1d8a4e1fa9b526f9bedd9d6d9aab5a1920d68ad
SHA512bd8c951754d0514325ee51c3973ccafac73dfca8e4682cb31dd6e6090988040055504b2094801eb9fca590b346647fc30f016a1943c42e37536f7afdd3a57e46
-
Filesize
671KB
MD5ad31b7b4be7d6764625f9a3158efdbd1
SHA1438dcce54604ddbbfb10d9b5e0f018f96406a907
SHA256d1fd57d3a50e8417257da249a3ed575bd9b6b222c8ce3723df09057bb1bde8e6
SHA5125235d1f6272823fb8333e72120e7f793d535acf076dff3f27ee619b12ed01958cfe1fd29b9ca74594caeecba6df5920e36cb0847dfe45756ba7a2bd35479e93c
-
Filesize
1.4MB
MD5329398b7e1034ca8ac83fe1a0878bed2
SHA1f946633e9b4dbd294e3fea3c592fffb19cfa94c1
SHA2565a92b12970b7b2baa2b1d74fcd087679e516733155c4150a75198345c93f9730
SHA5124a305d1655e7286fbe1c0fb0c709b4046fb6cde813eb902d22a20d42854a1c83b24de10e49afef83a4ec4e2b47869266d4bf54547de3a8198353b7d0e80d1b87
-
Filesize
1.8MB
MD514091307eae01f3f46ce9fb50cb9c405
SHA16907e15f3bb755f6d27095f2981f53487bc82527
SHA2561d1dfaca7ee2dcff9f695f78e74cb1a960943b0d9c8116d36acb92f44487d23a
SHA512cfad6f945c56336457bec77c2b4d041ef39076f7bcbf58e4024a2d8a586ac6e5223648380f3a77b6e4d7763bc4df80be6cd05c7df622e80670ca0253f5d8b072
-
Filesize
1.4MB
MD5e67ab686d2680d3aad318dd8dd9b4962
SHA14e0d379f62208d53e0b6b478c4c5aee5c6456b1e
SHA25665ded052a0da097cd36979b5e20ad446ce5b2a4de73d148015e99896dcd10a20
SHA512c500f976b68735cdd4e28fb01d5fe7dce17cd99dbb9e5a6ac717b0387a87fb65a3ee4de062a474ceef03291d7c91c36ac68cf074fe9542068ea747a8eab91b33
-
Filesize
885KB
MD54ae5a297315a4243fa5d952f9c592ebb
SHA11fd25653cbcf963293d4a2dbfd158caa7d12c5ca
SHA25614c59e38a5c58586e701209811fde3951fd0ec279a391c3fccbd6db52a176f20
SHA512cf448a9ad589a22ef22f5457eaf0ef5f6d62b44419be4e1bbcfba92e0be8bde115cdb3ac988952ecc4c8110c4d39535b58fa549cb1146244e9b1f07e4d30efc5
-
Filesize
2.0MB
MD5b7ab18e8c5bdeda584291548f52232f3
SHA1635fbdcfa71b7b96687ed98a02c934485faf12dc
SHA2569a41c64cd3c958104afefc2c20151c5a12f2c1817e407e61d3c82c4a66cd18fd
SHA512be5d31c60eddbb3fb5bd5a399cf2c596c98b5fcb1b25c188d1ae40f525dd2bdc925e1872a8cb4c78b1a9b267f615c16de1e9869356617ed21c7ee17bfd5aa5a4
-
Filesize
661KB
MD5ba7c0d749f060163a97b74559a8145b3
SHA176679b098216e7d459f465888fca9bdb712d7137
SHA256e7e740c8b0f482ed357526193e54d23494ff89fcf0da88f94c03ead5ea05c6f7
SHA5125720180b2fe8879c740a42efc331116ba318e9e569d46ad60e48f8cbebac9602c79bab3728fef55958b27639fa9360095d6d9a000c9959b58d41fcb8128f39d9
-
Filesize
712KB
MD571216a2a674283c961ee16175da2ba4d
SHA15dc34802c7a47eb0959b85bd46231decb63e9608
SHA25632164b328a2468ac2b4c360a779e99535bb7b8589f5f5708b742b82a908e2268
SHA5123fc06552cb42f48f72b7b48be81b4592bc2a415b069bdd510a322270e09e6d9213edabe1b73f47daf91f01dfc4aa489b7c154c771b30526f97c95e806ad45eda
-
Filesize
584KB
MD5ebac346212d6775f53117f02aafeb605
SHA15b055cb8acbdcfcb0107a62a480bed728631a8b4
SHA25621110f97f1583244ee8afa5a9f893be2ef72c04b215a9c3b764f0ddcd72d145d
SHA512f9f51653e32bb853c8ad18105865be2cc0cf66f107b0769ca3994cbe8bed28c665baaaa38134dc4a72330e655d99bdf4ce82694f304cdf4693a8a24bbf40022f
-
Filesize
1.3MB
MD5864386ec69e19bb3e59d29a1bcca628b
SHA1213907b787e9fd785d59deed8842935ad8dfca4a
SHA256bba9c821b7382d59b83c9c47b4b7a65fb214da24c77d4696cc8afa834902f3b4
SHA5128e40d63d9031b956cad29589b2c9f54479e7d2629172602f2c5fa0f15ee6d5eed914c918121a85add0e033d0141c94bb952589c542d62aa2ebb5090c831842ef
-
Filesize
772KB
MD5dd6b4fcf44369e103ff96a15ea07d041
SHA1b1d66645f790da5a0a3c802f4df49bbc150ea00c
SHA2564108af035e0e34532649772e72af2aa66906870c788d993ccb3819ee30290179
SHA51250041c759ad42798aad06077f995b4c49b54c8192c04a7d02334569c5cab022e4be2e3df297d2a1eb4796bfbfe0d60b9743bf7bc8cbb71d7538d8aa3dd76392f
-
Filesize
2.1MB
MD5dfc7bfabde2df314793eba212d1e8a8f
SHA176b3eb03d487da00ce1ee17894bc741e3d1682b6
SHA256d7e6bfd4e8d42df3b82d120edf533f5f48222613c6cee4be18adab63104fe941
SHA512d777cb2a8921e41dc4b6b176032ee4a661239ca1ab12574a711fe36f3201af9addcfa231d588c33d1b63c3057d1d4bf4cdaa4cd05d668adf47f32d4159269c3d
-
Filesize
40B
MD5440112092893b01f78caecd30d754c2c
SHA1f91512acaa9b371b541b1d6cd789dff5f6501dd3
SHA256fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6
SHA512194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea
-
Filesize
1.3MB
MD58d6154d2a29421901af833c2e4beb313
SHA11593511f8b9cbe40fad5b1d57907b7d7866201d8
SHA256be497bcfb0b0d7a6bfe497cf69ab341fcb64309d2ef2ef20cda8ad54e9b0df53
SHA512c2971b21d32ce5b1906d53e477c1d4f3adeb9dad2c754aae315d74d0a83b6a925d70f013b37b856a05cb2f66f1b360faab8ad5da098192dfe3440a7fefc67a91
-
Filesize
877KB
MD5fd4d8d2f64e9d2dd05c924d76ea98f8b
SHA1f74475d2969ec10c524d981a4c2c791b8f7b04b9
SHA25630a019b21ddedf82f3514bded24fff0bca9838d6be1f3d3742f69e2b05bd8fc4
SHA5125a8d56178efc65b2540cc39ad93d23f956499be464c51ea42632e96adf5b7fe41e69f6f318eff34b35fa276616961c8172cd823668c09076d3ee0ec7a09e689c
-
Filesize
635KB
MD57dc063d05c486ee7df5ac6e321f61d1e
SHA102d870f0a215c25e88a1b8d8278f1b403445bf20
SHA2563ebadcf6a7cd857b735c103eb9bf9d9e63c669cf9e8ff3c1450b948eddfaecf5
SHA512fbb78d781f5c3c5a9fe688b0e0a587ef2db309eb1de30e04e3e2925c79875e649529d19a4ef3c80921099be21631f9a9da4c0d3095e3754604a6173b018cf292