Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 01:01
Static task
static1
General
-
Target
0538e06b06f6262cce356f13471c0580.exe
-
Size
4.6MB
-
MD5
0538e06b06f6262cce356f13471c0580
-
SHA1
6be9ba68d3a578cdde4084c7103314148b15c5d1
-
SHA256
346aec9cc4c999f9161fef5a62701af6d4d83de1eedbee968a6a73e5b2ece0ee
-
SHA512
f38fce20a85f1c66d854cf3044ac1dc3a4cfb06c829d3cd9c2a9c998d738cb871317177574ec618989a107821cf17e0e79cc6f49d17f930f1b9c413a79a9d3d1
-
SSDEEP
49152:2ndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGb:s2D8siFIIm3Gob5iEbU7dG1yfpVBlH
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exepid process 3620 alg.exe 5104 DiagnosticsHub.StandardCollector.Service.exe 4524 fxssvc.exe 1844 elevation_service.exe 3996 elevation_service.exe 2984 maintenanceservice.exe 1340 msdtc.exe 876 OSE.EXE 636 PerceptionSimulationService.exe 2712 perfhost.exe 4892 locator.exe 4196 SensorDataService.exe 836 snmptrap.exe 3672 spectrum.exe 2984 ssh-agent.exe 1616 TieringEngineService.exe 2472 AgentService.exe 5044 vds.exe 4824 vssvc.exe 4868 wbengine.exe 3232 WmiApSrv.exe 4452 SearchIndexer.exe 5576 chrmstp.exe 5652 chrmstp.exe 5732 chrmstp.exe 5772 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
0538e06b06f6262cce356f13471c0580.exe0538e06b06f6262cce356f13471c0580.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Windows\System32\alg.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\764a41afd590e271.bin alg.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Windows\System32\msdtc.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Windows\System32\snmptrap.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Windows\System32\SensorDataService.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Windows\system32\spectrum.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Windows\system32\fxssvc.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Windows\system32\AgentService.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Windows\System32\vds.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Windows\system32\vssvc.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Windows\system32\wbengine.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Windows\system32\locator.exe 0538e06b06f6262cce356f13471c0580.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exe0538e06b06f6262cce356f13471c0580.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaws.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaw.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{F4DF7669-184D-4D67-991D-8B1550DDF396}\chrome_installer.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\java.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 0538e06b06f6262cce356f13471c0580.exe -
Drops file in Windows directory 3 IoCs
Processes:
0538e06b06f6262cce356f13471c0580.exemsdtc.exealg.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 0538e06b06f6262cce356f13471c0580.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exechrome.exefxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000060d62c01ab6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086e65ac01ab6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6c115c01ab6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000843bcebf1ab6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001bc91c01ab6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001fcea4c01ab6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a24a3ec01ab6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3fd10c01ab6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff60f4bf1ab6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000122418c01ab6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe -
Modifies registry class 1 IoCs
Processes:
chrmstp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
chrome.exe0538e06b06f6262cce356f13471c0580.exechrome.exepid process 2700 chrome.exe 2700 chrome.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 3012 0538e06b06f6262cce356f13471c0580.exe 860 chrome.exe 860 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 652 652 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid process 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0538e06b06f6262cce356f13471c0580.exe0538e06b06f6262cce356f13471c0580.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 1040 0538e06b06f6262cce356f13471c0580.exe Token: SeTakeOwnershipPrivilege 3012 0538e06b06f6262cce356f13471c0580.exe Token: SeAuditPrivilege 4524 fxssvc.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeCreatePagefilePrivilege 2700 chrome.exe Token: SeRestorePrivilege 1616 TieringEngineService.exe Token: SeManageVolumePrivilege 1616 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2472 AgentService.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeCreatePagefilePrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeCreatePagefilePrivilege 2700 chrome.exe Token: SeBackupPrivilege 4824 vssvc.exe Token: SeRestorePrivilege 4824 vssvc.exe Token: SeAuditPrivilege 4824 vssvc.exe Token: SeBackupPrivilege 4868 wbengine.exe Token: SeRestorePrivilege 4868 wbengine.exe Token: SeSecurityPrivilege 4868 wbengine.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeCreatePagefilePrivilege 2700 chrome.exe Token: 33 4452 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4452 SearchIndexer.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeCreatePagefilePrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeCreatePagefilePrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeCreatePagefilePrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeCreatePagefilePrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeCreatePagefilePrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeCreatePagefilePrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeCreatePagefilePrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeCreatePagefilePrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeCreatePagefilePrivilege 2700 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
chrome.exechrmstp.exepid process 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 5732 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0538e06b06f6262cce356f13471c0580.exechrome.exedescription pid process target process PID 1040 wrote to memory of 3012 1040 0538e06b06f6262cce356f13471c0580.exe 0538e06b06f6262cce356f13471c0580.exe PID 1040 wrote to memory of 3012 1040 0538e06b06f6262cce356f13471c0580.exe 0538e06b06f6262cce356f13471c0580.exe PID 1040 wrote to memory of 2700 1040 0538e06b06f6262cce356f13471c0580.exe chrome.exe PID 1040 wrote to memory of 2700 1040 0538e06b06f6262cce356f13471c0580.exe chrome.exe PID 2700 wrote to memory of 4408 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4408 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 3876 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4188 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4188 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 4444 2700 chrome.exe chrome.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe"C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exeC:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d02⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc8b88ab58,0x7ffc8b88ab68,0x7ffc8b88ab783⤵PID:4408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:23⤵PID:3876
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:83⤵PID:4188
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2112 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:83⤵PID:4444
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:13⤵PID:1176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:13⤵PID:2016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4400 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:13⤵PID:2408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4480 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:83⤵PID:2792
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:83⤵PID:3664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:83⤵PID:5236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4716 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:83⤵PID:5420
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5576 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5652
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5732 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5772
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:83⤵PID:512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2436 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:860
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3620
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:5104
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2420
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4524
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1844
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3996
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2984
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1340
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:876
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:636
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2712
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4892
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4196
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:836
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3672
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2984
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4504
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5044
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4824
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4868
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3232
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4452 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:6080
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:6120
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD50be012e44ede9869b87e556073af2662
SHA1a4093e32aea4e4428aeb0cf3a474ab0b761c68e5
SHA256f495a6473eb3e5655db1e75ae341741dd949237838bd00a8236f3c279202086a
SHA5126f8079219f5f62bf40ca76b57e1b6b7898d65e1cc35ea307e6a0de9b4edf7a07581950c557d20aca2f4bb84ecf7c35dc880a7cf8a62749f0f7db5433aceb603f
-
Filesize
1.7MB
MD5bbf19260339b7fda413af6aaa8ee8d92
SHA19504c6d6f23e14f090292c6bc6d7c17f3797398e
SHA2567a145df14700fb614fc2690217ce80af3b389e213b89a1c7e96a7f295cb18945
SHA51257c2a52361eaa3548fb16876593ba807e3f3d756c0e1ec420755636697ab8837985cf1063394241878404da0d63bff6d60015711fc1986f6c64b0bce5230e93c
-
Filesize
2.0MB
MD5009396ef0e7bc54de6864aafcb9bd897
SHA157d5f96ca3e78ccf8f0f77cfba761201154f886a
SHA256ce23d6cfd72dd9b2e50f0017aa2a7e436f6fbbb567d6e84d5042f4549888fbeb
SHA512e6a941db7120ca9ec44ef49ab0c2068510462b9e38e3e76f82bbdb62e87fe70347f5a812da7b817b047faccd1cb40bea3c99a16fef91223a17b6b449f4adddc3
-
Filesize
1.5MB
MD59fb0139ac95f38ab51f3073e50e0bc4f
SHA1d1c2b67cf5c8f2e1be30cc0ab4d06c73fdded0b8
SHA2567bca3dd3d887f0d19af80338e65c07842e63f27636ac4a40bcd5a61109e4d6ed
SHA51220ccb3bbe2ee7bee454646ae29597c34ef957aef7b013883b101f19926684667dfe3cdeb7b23f4fedcb78423ce4f0c75c199acdd79e40b850a296e67d5df2646
-
Filesize
1.2MB
MD5e30d8d3df6c9ab338f1f85de374c18a0
SHA1d3885aef9ffc7121961c7231068a7c59a2e91bab
SHA256ff0aa1f8c9526075e78b0600a43334102e923fadaef3d9f3f51b31f04a5c7e73
SHA512f4949ba2490cf91a3b653c74b89cce673cba5f7b23b91ff7b02b430ce97f43bb5e5dd128d0db802d17cced20ac6734a27216b6ec76a7ab2479f9662fb90d5125
-
Filesize
1.4MB
MD59857df57af4ae15222d59ea98c72e12b
SHA1c3a8f7d8b07b8b066a68a63aaf6f826f11f2978a
SHA25614767dfef1852716860c644943c8997beb0b21848c3a77ce41f587a6ce138cb9
SHA512f40ff10263431154ff75c092f2c9be09f702e954b01c6845bb9496c1b7be61ebf9a9be340f6158ca38c69740b6fa1868308f67c99777943a75505648df27c07f
-
Filesize
1.7MB
MD5432634f01658519894f5aa8bc1025162
SHA1ee8dab6b3fa345b75eed43bb2afee74659eac117
SHA2563753cd248b583db8a663c9da5bec92868852f7520e593b7b9f720252f961992b
SHA512392cd978b6c67769768abbd3a4a75fffe7817a4705468e9963ececaad2bc645c8464f308ff86be65f0616722e7b26d9ac1f73046f47481a069cf9116ab3740ca
-
Filesize
4.6MB
MD5fbdf33296858eba50f6fcc1529141b2d
SHA102891572a70873aed64420e78077d6d579afc259
SHA256143304d41c53edc65eb56bdba42e98a393c7947ef5d56490e4f5712a59f670cc
SHA512a0e19b5e3f1fe12844f64bf0bcd3af1385c330e40f6a280677f9c3b5cb9c1fd0bc39f5332a96f0018010fdc723fd364981324e3418dd88a90696b78d9cecd0d7
-
Filesize
1.8MB
MD5ce6ce24343bce9bf6bddd458872f94c2
SHA1d71c04c8592175d3b207ade98314b518bba4bf36
SHA256ad3b9a5c1a8c3942a1bb5d720234a3115b7de175ab89a0b9b535260fd2578a93
SHA512a5e9946082927dd7817aeab33b9fa2abd15cf4046e2c62882f8f69fc0ffea8b4c674d3ad4dee6c20ab033bf281e581a781921aae7553e2212bc806b523e7b293
-
Filesize
24.0MB
MD55a38d80af4ab95e03d8bbd0d32eb210f
SHA13a322c07ba9aa2582159dfdbbd6c43b07b5a648e
SHA2568ed41dd7613a9899be45c5f8ad00abd68a46bb8fb42233f379651c1fb6d22470
SHA512961be87f014712432905c48d45286e920b83a2c4e93c5a7b461daadc4168cd2aeec1d9f3159ef96e717418d40464f3df92f9e711f2744022122a43a8712dd3c4
-
Filesize
2.7MB
MD54579036d5b0282e2e6b734838ef97271
SHA1d0b6b48d67e557446b48b19787980fee79a8e9ab
SHA256d8352271fa870c9a5c6d048a46e5ccb23540e26345cc6c720d22e024e2df0bec
SHA512fbefe58425843c7a0d482e4ef5091af2d7a071dca1c83b5cfbbd4e05348c24ae41ee592e7b0043f496661a0a7a8486c1db1bf93a9af3b45aa0f6a5e0a58fde3f
-
Filesize
1.1MB
MD53d64a8499148a15dc557562d4682836e
SHA11fa98e528609d0b9fe77604ff2437c75f2c7bea3
SHA2566bd8ab419673d1cdfb237168f8f9ad21d7b256724171ba7f1b6328be06c249c9
SHA5121fbfad1fb0a01be29a63a2f797ceda04a33ffe86837dd294fa5cc00bdd43c1c3ac7528660e395eb22d56223eb4e821c18193e55f0a07b5afffe58774e7736c6a
-
Filesize
1.7MB
MD55ac5f6323a0b04dd344aa890ac0be709
SHA17613e8bcbf33ff060cb9b3d124813f2f1b4464cc
SHA256f26b270cd32d5a3f055cb897e6965f53f4a5cde34c962a0771f0ea39b5150ddf
SHA512b04d782d859b7cb26ba06997b87525a8db5942307256292232e5526e2f753c0a536c022917d858f4ade3974bbc977d7422d19ec1240b38167855b82ae1e86bb1
-
Filesize
1.5MB
MD5b5dd83d5f1c2efdaa757b955d8d4fa03
SHA1cc7dfe801ce75926383a75d3e4f3b4a994214a46
SHA25671469cc652b5576677292e2d3b1d7e7275693ea8f8401bdbfb63ba3c962d1714
SHA5129209b3ce0385c89cabbe99d0ac61c3fe9ee1eccfa192cb87b1c7cdbaee755b133586bedbae880afffa72b91c9bda6defcff09d60e1ac0c1cab1f0b4a1c5b717d
-
Filesize
5.4MB
MD58b8887883c46c36c0dfa29383b8c5c68
SHA12b55caea553d94b4961313e695c0d1d3dbf48be8
SHA256687b36b1392e5503cde2b38566b7c0598c34fb86044d9940f8879f6c0e6e529c
SHA512ab635a8ce717ffc0a569b5b2143da1c3743abfd7565b1ad30d9ddf7a306c31fe6475c3b8cdcf30c4e2be856d9f91ab0d65aa665761cc8d8958959ccddde00a1d
-
Filesize
2.0MB
MD5710f83a0603f5a750e5a8f252819c9c4
SHA120c4face11a1cd08971e06ea39ebd045afd95d8b
SHA256c34562c69efbe3bb1a1365b140c19d4132d1f96807fe05422e1ff24732e5ab80
SHA51262f9fd9a3e326de40974285366df2c8af12b3fa04c946371c2873856ef889c061bd16d84a3e0db231820b9b430cb339badda3ccbdeb180b144a34f8c2d950755
-
Filesize
2.2MB
MD5bb4026e5c25dc1fcefff250322d95c62
SHA1173de59d5ac2a19c4a441a311ce56dba292138c1
SHA256d465aad56deabe9c0ccc08f8fab4fc863f1fa3daef2a077241a4504a7b78a47f
SHA5129ebac3059b52bb6b1938a54ac59527b27ce73446904912e7bc4134cb4dde482d80724602de2fd3d47ead4223d69dec2c991cee51a8a0230c8a25f49a195efc5b
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD5f9f4a4a39e43ca5e8c4e08fdec2df215
SHA1f857b05254818f4efa9eff9013ad47f9788132fe
SHA256ca9c92a9769404cd2735d3de6af2b30c912fe6a0f04d61543a035026ec00861b
SHA512f2acdb818ce054fdc811fd09491783ad71e72f2b4aec79abfff0337031867bc470f63f94c6b5f893232f0cfff8d52c25034b38f595d97db059f38efb777df1c6
-
Filesize
1.6MB
MD5a9e27ad734aa5a2e2eb2561a03a6b10a
SHA101f963f23ebb71417d223df989c373e3915593be
SHA256945f063cb384e55823fb83f8ea634c3406b8d861dbacf650e14a8869194a5ea9
SHA51207473ad957c850b8082dec318ced808ede58aa2bb365e3c2a24f21fffe8365c5da5af67519a3211cfbd3cd501c8f99c561074d7a3728618dfe79f453d9093476
-
Filesize
40B
MD5ecca8993047150870094c763386eb4e0
SHA1e77376a1868359b6270fe9924477d645bd5d7d1d
SHA256bc2822a5efb199dcc655254b162e8e690280697a639ba9b6901133798470dafc
SHA51228eee493fd526ef4227665583b28d600954d71babf027c2aa6bc8d72684d4ebe8b84436dd75a7fe29b6d17c8fd91f27a08e4d9deb53e8460a518bd7c09ca297c
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
5KB
MD58e04f33675a07b4a0d91ba93082ee8c2
SHA13c21c769ffc9f84249b90c9ae38668cd6c060a18
SHA256a1edf65f0bfd33edaff310b1cbba1817bc446240bf38f6ecf689ffa94da9c815
SHA51220307aaae7e9ee1c61c5de671ed72358f5a9b987b4903acc7f548ea978a604a84096e54be2f15b8ba274b41d3fbaea7ec857cef006b75bf963e777473127e0e2
-
Filesize
2KB
MD517452b252e572ce0e1d15bd52b3d96dd
SHA176e11b2ee8ae5cfbac60be4c4f1609879da3586f
SHA256078b9af3cc02d4ce24f484c105def6fa6ab3b239269d39b503bd592cd8721ca2
SHA51223c427290207f4496388e375917532a84121cd606cf36e804d2c30439167068e4eb43930ed32d406fa86cca6cd7f38d3c4f2f3f0bfaa9e157c6cec6e1e8546cd
-
Filesize
16KB
MD55727f75d977424dfc0d502b93db16120
SHA1a1ce74c8371835a770eda0e3ede7631a6d08fa70
SHA25611b42ed60da38472f20fba9a151d59f47285f1e429fd1790097e5de8482b26b5
SHA5120ce0755ec7cc33db422cfc49dd9f9a83998f36f0fc76205de6593af503b6dbc013a24fe165a75b0e02d73ec79862ac8d9d312ba231dd3be53a864073e01dedcc
-
Filesize
260KB
MD5526a6f25af4a53698308aa21aa358790
SHA14f55b2d279f898a933b98680b618e4e3268d01d9
SHA256c04980bc74c3ba581a80234836ad0ee891b36d3ab84c388fcc30762402cd8c58
SHA512f2b232bb61a017273b2898e6d23ae94b314084a769245bf7b8281dda94151c1e9e8af9b2f7612ad046a1e32dfe36c49e5e78856e29ec2099e965014693dbf5b4
-
Filesize
7KB
MD5f0163ab46f449cd7fef4864b1e4680c0
SHA1f3aae1c1fef6f4711349eb9b7f3acebd030aefe2
SHA2569f7e5e812dde33f6607c9022433e9d076563c60528e6e137a6bea81bf60f4b94
SHA512b3e1fd42039f22321d6b98eb106ca58ee29fedf78b7475c9e7631ce36600c8329db27cdd2474c43c4c299670c148e05ac0b2e4ea551704495280a73df1fb7937
-
Filesize
8KB
MD59978d7a7a29b2060f380b02438476538
SHA164748f47047481880e73e79d8a7ee2949936bdf0
SHA256c6a38fafd28d7a2624802b13e682bf12ad48f0a8689312275664b6f376582590
SHA512ce67e436e1dd24ee0542498fe1fd8900051f878b1cd1d82ff1b814ea1f6d839e1f2bb9832b3a146ad29a29fcb4356f9372d85abb0fea214b9bc4bc2d7730a011
-
Filesize
12KB
MD57f0e6e5afe5f3e108b3ef6d25dd94a2a
SHA1327c553fc25b70a23b390a33dadcd4e3928446e5
SHA256044a8ef96a1010e09cd9c75a5db98c44f63dff4eb2ccad7fe6f1509e8721edb4
SHA51205a35e031ef657990c30d3e8281cbf562172ed9a5ad8491196ad068e3c6d95e0ef032fc9f8c3dfa5507648bd25b749941dda162c220637869a061fbe8152ddfa
-
Filesize
1.4MB
MD56df61ba946cd872d214114bbd0be0176
SHA16c0ea939590ecbea65db740a58cfb6b429bc6138
SHA256030dad1a42183abe476b586378b85b026c2eddd73d7e572a225c4272ca43f4b4
SHA51285039eb1ec7257f9b2fbff18d37f0185b713fb1c9bffbf90f8e83b8f018621c39a9fdc4dcd6d680e556ed217d400755ff7358898a479c1d00f53f419f7e2a9da
-
Filesize
1.7MB
MD5ff902abbd31425d9c5cf012dc39866fe
SHA14b25c71d7a6ab5171d4baf9e352b99276f4bc8a6
SHA25609ccc2851781543075b361dbd4571b8c172d95f49fe1593777b5c3646369ae68
SHA512923d1ce9a3b800e762c5a909914fdcde3d88372a99d23428e0e2fcace904492fe351f781c9ddfc13e1fa6de73db9f5d64e7d0b9d4081d2f2c2e0454ab2b28fbd
-
Filesize
1.5MB
MD5c2c21cba3d8f0fa1e35108c60501b53a
SHA19d07b60f455d771e2c3d441cd9d44b6d1f83bd1d
SHA256be61d39d4fa36aa0de9b8dd3036c0b39e6e9545d13cdeeb31bb9478f741e68e6
SHA5125c67c818cd04211fa42ccfa57d9df1c8db1f040e29d64ae69f37ec9c1ab124ea2ac18ce8958c84016f1d84b93e1a269a57dd65f5b019a3fa315ea6d99dd59ac9
-
Filesize
1.2MB
MD5d85e94b48d46c19178a3d722a5d4a7f1
SHA14bd1e8d871b8c458f67f05d69e471337818a5402
SHA256f0f346342066a7780e62ce5b2eef70ae97af2cea2ad0572baa88b21d030f07e3
SHA512e60b90b766209d009d5dcc198c37fb19198b669e6e89dcbf4b025e7e6ca60adc5e10703a0d02459df167bbec3ae21bc462f6df43ed0b580277a59a76042b61ea
-
Filesize
1.4MB
MD53f999ce74fcb1bb97e623d28dd7bd910
SHA15049f3159634335dd881b7c35fd58dc5b7d75fbd
SHA256d5d05e31443d0b597b91b9b72cc345fd48171947660823b4fc015c950cf63a6a
SHA512dd33146157aaaa8aeac8242ae3e508c6fbe1451faaeb841510e2ba3d4eda9eafc35cba6c04691129c80404db2aa0f83ba59895d45c94f685c986c96465de3d2f
-
Filesize
1.8MB
MD5b16ca6ad3cff55b6c771c2c8c760123c
SHA1b5e5047bfb688cfcbd0c225bdafedd279a855dd4
SHA256c4811bb1e52f8e9c9532fe44e90dcf5303a5ee812e2a71c496b97bd9cc406a0c
SHA51288e42a015b135a8061725cf71ddf61f2737c1386a064b72ebc001fbaf157f5013376c82b377004c952608530626e8b1c2e1098d5182d80f874d803f7d652e3a4
-
Filesize
1.5MB
MD5404f5e2ea71a550c5b946b4b1cf83a72
SHA1ffa27e885efa50a33ed2dad23715fdc5b5e877fe
SHA2562d7c1bc2e5709b4fdc3f1aa16e28daed8342bf55abccfc13145dfd6cf110987e
SHA5127fa41d988c7ce5c8f6cead3c216db745285d28ed075a4949ab465c77a4e051edc98fde822747149cd0748c772f39c4e97d57825c9de6b3cc10e4dd2d40da9023
-
Filesize
1.4MB
MD54000bf73043206ad70bfc390656330b7
SHA1dfddbd719f43424ca3d11f85af8fc4a5532f1bb7
SHA2560a6977f004c8ba758360452bb6a55a3458ead57b16008612c7db31708e392c16
SHA512499acb5ee24a07b271ca969014e08f510805fce1ccbcba15a0b46a43a7bc23697105122a4b7116195a1bfab583ad6a198e2631fc8e1781b80eb78ce9514adc9c
-
Filesize
1.8MB
MD5f52c00e389a6ca36404719d8a0fb450f
SHA1616ae8b6bf9fa06a84438cefa6795616bab81141
SHA2560b727198b1dc60fb5627d682461701d0c8074656beb8219040c890fcb728ebd4
SHA5126d29dcc296134e31bd777f3b9e3c45cd3e1a065e6ed1fee7263baff1a2d401d18b71e17c8f094c33c411f8ef01a570575884a7d73ff0013523b90e7af6244f06
-
Filesize
1.4MB
MD5cd1ccbdcbf6ec97fb7227eaa0fb07c0a
SHA12819fc48540eabbf6cf3042f0d603501d6bd4595
SHA2566c0979505ff5ca2261e7c2d08c7bfa2c6519cfa1ba1c57e069b4e8e792828350
SHA512649c9220c8d2712dc9249aeaf9c210176213a7cda9ae6ed2e6f7828528534ff15237d1057f76e7c21ada243e0053329a6538e639f5f8c827626dcb34c8035257
-
Filesize
1.7MB
MD555947b636d0304400b178d21f26f0574
SHA14d41f9c6979b04e5bd054c888c21f1b15582e77d
SHA25633e6d2bbae23b6cef64029961a4b582569d5de14046706a96b9aff05bc6f048b
SHA512fb63b68197a68809a6114bd50f65ec3bf758248a3a40daafc77183782b59807b15f1f2d14a52d75a2ba0739b4dacdd084514a9d1213edc98ad78a0737d6c0c4a
-
Filesize
2.0MB
MD53895b1b60ef050cfcca2537affa7d1f2
SHA121279edbf1af2268941932fe36b5f232c1594b67
SHA25601a63cb3a642a2c19c2aede92a97a8b853b35b959dd01562cd0757bf063ff007
SHA5123a53636e6765adab6ce7a4161b93ccca7e4e3cf974b6223f320201e157ab6a3a6f7e94c3d1102a4eb458fc1723bd99f95dda93b0ca8d6cb86795125524161c78
-
Filesize
1.5MB
MD5a1046a2d777390b4ff35207cd5ef47ee
SHA1056e51565b9eab50ed23f834781c130cdc8dee86
SHA25645001eb0124eacedae0842337dfe9219557e7afe2ac3a6b78d26975bbeee7e92
SHA512229cc7797825276cb0015e83953fe9f84c15698e2a3087e4a00c7aef3ac85d2a7b0ad6b0d8453572e823de4ea5f055fba2eec06d4dc3d99cabce74e78b4283a9
-
Filesize
1.6MB
MD5070c51f755419c87db34085108ebd3c7
SHA100dddc5bbea8dfd8a466d7f306baf41613279c71
SHA25698ff1ce740db253226b3519f871285d2100dcdf72f8d214b6b1309b24cc34fff
SHA512bf150cca15484b9ecb3e29173550d58da47de59f81dde14401e6e8b721d806c8e4f6cd642e17f31b91eca91f32470ef526c39a8987450a15b174625eb334d00a
-
Filesize
1.4MB
MD58434060de8871493426a37f0ce75c1eb
SHA18319355189076a1640c289fa17ac844422ee00d2
SHA256216f1681134eadf0a133b7386f13217f0f17ddb394dfd3bab63a7ffc262a8b85
SHA5123dbe2ba8bb24cff83baa96d684896a63bd2e213b9edef8923e81510f00867bc5ba50dc11c8657c563f63f814d7c0a0f979387790a1665cc7ca34a471d5854ec7
-
Filesize
1.3MB
MD52ee7d93db5113be32c11216774b5d9f7
SHA16d7fdb2cbe821557a13e05f1d1b76d2e3925d07f
SHA2569984f388f96581cf70941abec67422b5a335b37a736908d24981274ce215f30d
SHA512d1eff20cab302844f48fa97ebe882771e5f2cb8eaa8b6c8d3c8a113bbb822e8ff89bce7f9442c86bd68993cd50eca281ad73c88d0eec0bec77c2ef53c3aedf85
-
Filesize
1.6MB
MD5e1f788a2b8b2efabf370b899730e9c6d
SHA11fe2c733956ee2e50df63a22c4f2913fd4276987
SHA256755615f631102d30cf278e45ca239508fdfe376ba0d0c502c7b7f500efdbf991
SHA512ab150d1f09960490a5ed3dc2b5a32712b3107c302350c1c7aa082c63127ff1d99ce9595d247cb22872e1ab986a0ece4a9367881144803fe4fe5723ef79263d1b
-
Filesize
2.1MB
MD5bdf83baa2daa13d9476725ff19cdb3db
SHA17fefc02af7076e585c981976dd1417507f285fb0
SHA2565e1fe7753d262adce4267109d46cec4956486d29bc92409cc2a907d8e8b24067
SHA51214bf816a3c32a474df574758196802a6443ff5655de85d49c10d5c1f5806767186651121f806a3a3db3c47ab555465965fabc712139864b3afddd8a41346329a
-
Filesize
40B
MD595c33cc1969930fefbdb95f99b2a9882
SHA1cd2cd226b2c6f6de0bb090f9ffadb8e643a23970
SHA25653b715becb7434a9ec7cebf218a7397d5c30fb50f6d3ac578728024f00ba194e
SHA512c5992c3d6c1d20ed54d7e8cee2d3ac42d929812b770ae770881b4d09475b23cdd5afb323f401ca81bee5566f09638581f8e86b717bfdaf11596e7398978070d6
-
Filesize
1.3MB
MD5c4cb9bfc070aac791cf8b47e6efa391c
SHA1dcf1a2c33126eebe290eb011875d4cc517680443
SHA2560c76b00ae824b81f4881fd0f68c301103d32b608f23cce689380875aab286364
SHA512b0387619071fe11ff3c7bdd62e894e2e00ce4e16791f04e45170af2e8a18f682fd8c41e2f9589d3b288e231c21a52bb65b100905e3fa70b803550133b4e92d35
-
Filesize
1.7MB
MD5f2be0ff7582889db666849f73ab64196
SHA117232663ced08cdd737c7103d1eac7934f037a1d
SHA256a15dadcc20adadeedc3d58ff2f2d06d818c611178f7d1dbaf6b7581daa9c4337
SHA51273630d106f5c9f6628e2a3b4b3364bd2fd71b33a51b21e917acbef7871d73332be7c3c45a529f81716377439dacc684cc7f8875cfa4d0580ea7e9a2a1c1a88dd
-
Filesize
1.5MB
MD598ca8e6313106c86a496ffeb952618fa
SHA1563f4b6137f7818b64204df492769922fb99a5e2
SHA256b3f2bca9b23190e313239031a29c0c69c6871f82d9940dfab552fdb17803ad9d
SHA5122f4908275dc6c44543ea2edbcdd8850f0e8c06d08f7a104a004ea8febea01ad74791aec7584240360a45dc272a5a2b375824652663fda9332e69730587822815
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e