Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 02:59
Static task
static1
General
-
Target
e844f50d65cf925e2cb097035f6d9cf7.exe
-
Size
4.6MB
-
MD5
e844f50d65cf925e2cb097035f6d9cf7
-
SHA1
5dc0ba3f95b11decf30dd8c1395542fcb5660e1a
-
SHA256
4912bd57acefeeddc8a3da877b46f474207effd09d6ca9a049b6241d72b96316
-
SHA512
d6d96a2f41da94a446dc1e51c14b27579447a0c195cac60806d692a7487ddc3b8200d722f1502db4effe7ea25fbe31429bea59514136c1e9ba51d98158c2acf5
-
SSDEEP
49152:andPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGW:Q2D8siFIIm3Gob5iEdqo4w
Malware Config
Signatures
-
Executes dropped EXE 25 IoCs
Processes:
alg.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exepid process 4684 alg.exe 3472 fxssvc.exe 5008 elevation_service.exe 4120 elevation_service.exe 2372 maintenanceservice.exe 388 msdtc.exe 4948 OSE.EXE 2600 PerceptionSimulationService.exe 5004 perfhost.exe 4840 locator.exe 1812 SensorDataService.exe 4708 snmptrap.exe 1724 spectrum.exe 4788 ssh-agent.exe 3980 TieringEngineService.exe 3604 AgentService.exe 4844 vds.exe 3100 vssvc.exe 3200 wbengine.exe 5228 WmiApSrv.exe 5340 SearchIndexer.exe 5612 chrmstp.exe 6076 chrmstp.exe 5556 chrmstp.exe 5728 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 35 IoCs
Processes:
e844f50d65cf925e2cb097035f6d9cf7.exealg.exemsdtc.exee844f50d65cf925e2cb097035f6d9cf7.exedescription ioc process File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\System32\SensorDataService.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\system32\wbengine.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\system32\SearchIndexer.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\system32\vssvc.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\system32\AppVClient.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\SysWow64\perfhost.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\36b26b81b3b9834c.bin alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\System32\vds.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\alg.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\system32\dllhost.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\system32\msiexec.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\system32\TieringEngineService.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\system32\AgentService.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\system32\AppVClient.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\system32\fxssvc.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\system32\locator.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\system32\spectrum.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe e844f50d65cf925e2cb097035f6d9cf7.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exee844f50d65cf925e2cb097035f6d9cf7.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe -
Drops file in Windows directory 3 IoCs
Processes:
e844f50d65cf925e2cb097035f6d9cf7.exemsdtc.exealg.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe e844f50d65cf925e2cb097035f6d9cf7.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exechrome.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bda940e306beda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017ed81e206beda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ea054e206beda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065fdd2e206beda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000015165e206beda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba8239e306beda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b2118e306beda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe -
Modifies registry class 1 IoCs
Processes:
chrmstp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
chrome.exee844f50d65cf925e2cb097035f6d9cf7.exechrome.exepid process 5044 chrome.exe 5044 chrome.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 3780 e844f50d65cf925e2cb097035f6d9cf7.exe 4268 chrome.exe 4268 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid process 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e844f50d65cf925e2cb097035f6d9cf7.exee844f50d65cf925e2cb097035f6d9cf7.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 3520 e844f50d65cf925e2cb097035f6d9cf7.exe Token: SeTakeOwnershipPrivilege 3780 e844f50d65cf925e2cb097035f6d9cf7.exe Token: SeAuditPrivilege 3472 fxssvc.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeRestorePrivilege 3980 TieringEngineService.exe Token: SeManageVolumePrivilege 3980 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3604 AgentService.exe Token: SeBackupPrivilege 3100 vssvc.exe Token: SeRestorePrivilege 3100 vssvc.exe Token: SeAuditPrivilege 3100 vssvc.exe Token: SeBackupPrivilege 3200 wbengine.exe Token: SeRestorePrivilege 3200 wbengine.exe Token: SeSecurityPrivilege 3200 wbengine.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: 33 5340 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5340 SearchIndexer.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
chrome.exechrmstp.exepid process 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5556 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e844f50d65cf925e2cb097035f6d9cf7.exechrome.exedescription pid process target process PID 3520 wrote to memory of 3780 3520 e844f50d65cf925e2cb097035f6d9cf7.exe e844f50d65cf925e2cb097035f6d9cf7.exe PID 3520 wrote to memory of 3780 3520 e844f50d65cf925e2cb097035f6d9cf7.exe e844f50d65cf925e2cb097035f6d9cf7.exe PID 3520 wrote to memory of 5044 3520 e844f50d65cf925e2cb097035f6d9cf7.exe chrome.exe PID 3520 wrote to memory of 5044 3520 e844f50d65cf925e2cb097035f6d9cf7.exe chrome.exe PID 5044 wrote to memory of 4880 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 4880 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 2700 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 772 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 772 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe PID 5044 wrote to memory of 3232 5044 chrome.exe chrome.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e844f50d65cf925e2cb097035f6d9cf7.exe"C:\Users\Admin\AppData\Local\Temp\e844f50d65cf925e2cb097035f6d9cf7.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Users\Admin\AppData\Local\Temp\e844f50d65cf925e2cb097035f6d9cf7.exeC:\Users\Admin\AppData\Local\Temp\e844f50d65cf925e2cb097035f6d9cf7.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2dc,0x2ec,0x1403796b8,0x1403796c4,0x1403796d02⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3780
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad3f7ab58,0x7ffad3f7ab68,0x7ffad3f7ab783⤵PID:4880
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1900,i,14272241279864204826,2878951402854819858,131072 /prefetch:23⤵PID:2700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1900,i,14272241279864204826,2878951402854819858,131072 /prefetch:83⤵PID:772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2144 --field-trial-handle=1900,i,14272241279864204826,2878951402854819858,131072 /prefetch:83⤵PID:3232
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1900,i,14272241279864204826,2878951402854819858,131072 /prefetch:13⤵PID:852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2844 --field-trial-handle=1900,i,14272241279864204826,2878951402854819858,131072 /prefetch:13⤵PID:2764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4280 --field-trial-handle=1900,i,14272241279864204826,2878951402854819858,131072 /prefetch:13⤵PID:1704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4456 --field-trial-handle=1900,i,14272241279864204826,2878951402854819858,131072 /prefetch:83⤵PID:760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4448 --field-trial-handle=1900,i,14272241279864204826,2878951402854819858,131072 /prefetch:83⤵PID:3016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4768 --field-trial-handle=1900,i,14272241279864204826,2878951402854819858,131072 /prefetch:83⤵PID:5536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1900,i,14272241279864204826,2878951402854819858,131072 /prefetch:83⤵PID:6004
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5612 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:6076
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5556 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5728
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1900,i,14272241279864204826,2878951402854819858,131072 /prefetch:83⤵PID:5624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4180 --field-trial-handle=1900,i,14272241279864204826,2878951402854819858,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4268
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4684
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1484
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3472
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5008
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4120
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2372
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:388
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4948
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2600
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:5004
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4840
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1812
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4708
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1724
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4788
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:752
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3980
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4844
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3200
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5228
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5340 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5420
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5496
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5b41d69dbee9b510fbbcd660d221de9d8
SHA1a6c1485b448eb97565dba2340f331c904b688d90
SHA256949fa9d7ea25f89ff1025417a438ffac7de162f964cda1fdc6512dd2af2e60b8
SHA512f05dfaf7aaeb4051b3c3cf2dbbe65908ca901574b4deb22cfd0ebd23b1b20a821c5daf7e3124214fd3752d3983bf62a9c0675e778bb8078eb59c2d6b1bf25219
-
Filesize
1.4MB
MD53adc1b2713a1deb0036f9faee4eaa2c7
SHA19d4b7557a3d1ae10376fbd31dd2af87f4654d0aa
SHA25626933a5ac8b0537af8277c3609f2e92d2566e71899be2ced74842e85a6a15e7f
SHA5121a4db68d09b41ade100400f5e4d8f9728ff9c6151974fcaffb109d006b7f878e2c77b9de0fe34bfbaf4e26cf238a71c302fa9fc569039b83de07e3e485249668
-
Filesize
1.7MB
MD561a888ee6fc2d29a7406a164e1a39355
SHA1986020d375e21d839a268e6f0d03c5043b7f98d8
SHA2566b1f95b5292078b08e9a3bacb0ed875718ae52b77e0dafffdc38bee586d25158
SHA512a2dbc3ecdadbf8806a86b018bf6313f224b8ef89bc5c8e49e84c3e6f9e48f08a2339564c85906f176ceecc14122fcb6c35426c07cabc4d3ccc2138c497c6b43c
-
Filesize
1.5MB
MD5d4e799b752b49f3f766d4ba4c9427e29
SHA16a265322dc7d58bc454f41dd582639f89ddbf566
SHA2566952fa944516c7e67589bdfe28afaa0d3d459fddee465917a4f7ead5aaebb523
SHA512cd4791029ecdf1d89c786158dd81cfd794a79a8632216458efb6905769e3c34dccb0440045f17631f8eae4ae649454ae68e2078bf0815c04bc52a9f5c236801d
-
Filesize
1.2MB
MD58394186c9b34edc1fd1f321b9dc4d7a7
SHA1f295ad9e9e549f3c1ed8cb0e9015e406635cc7aa
SHA256652e4fa3fa9e98309821f66745b31930656fbfd3867249a210e4cb987ad3a6c4
SHA5128583d66119114b4d02483b7042f15dff32ea8ae6906e94ccf1e7e238e88e8316e7f0e8d8ced3a12275c628142ffecc1297d95d2371b2908ffe645754aa60fa08
-
Filesize
1.2MB
MD5e8aec5529a5ab573d4d69759cd6c9674
SHA1d59c3af427aa483f32bb79d372242b6846159158
SHA2562ff147580a80a3cfb8388d650be2cf033ce3bcc52ee7f927c7ce0f4c52d1023c
SHA51238ad1eec8d6a6c5de3802e186c63dd853696427180a071569d7e1bea2a2443f713f2f415569dac16532625fcd93f829df85b59dacb3e7c4ddf339a7cce580aa3
-
Filesize
1.4MB
MD554fb7aa66c2c3a1266d10e9df5af7f99
SHA1552a55077ff6c9665b56b3bcf7353872359c351a
SHA256dd8f89c81df3a93e01a48f24f064aef9725e897a37844bb4f2843f4c3a25b0ae
SHA51230de4178ec634e561a5f74d4a7be43b2314227e0c9aa628776756a0af9025c7822704835b735b265eba0dd6885b0ff8ebf67bd91d85795a6522574205b09dac9
-
Filesize
4.6MB
MD5a0a3fa2b22021ba75c86506e66ecb7d7
SHA1581b4068fc92e3b8b09818cf339ee084c61dd315
SHA25612b92f02fa16f064542a138adc3cc2c33bbb1bfa40f581996a4f70b6abb64d12
SHA51262e8a462db23814ea52b9c5c21a4582e8f57ba0b3a1e238a868902719d009927961edff06f99c435b8b3154649e9afb27dc984f19a38505efd0cf420fbc7918f
-
Filesize
1.5MB
MD5a736c57b19e21bf8b10f09b7fb5c6505
SHA1851c8ebbb86a3a5ccf452909a271710d6269cf97
SHA2560ec921e47bc5b8e4125c3858769b483a7b249e323ff9c1236475eab2156412aa
SHA512d7ae3354530244b29ed9794c248a2c9cf14f32b50f76ed8e6630aa6a6fbedda6dba0d012c14131321965fc39a4f9c0c6a9bd25885cc86ebfd6afb88583ef38cf
-
Filesize
24.0MB
MD568d3260c73321008e5a921e885094764
SHA12f2c0bd86e4eeef30bed707ade34b7f4ff9888dc
SHA2563c403d268e0e21ff1e6595fbab631b04a0b29a280c70b6b23ed2ac6c187361e8
SHA5127b814a43471527f4ba6451d0360428ec946109f26e8939d1c6d306dd70517e6c8acc661220531bbfa207e382b1910cd02cd0b382145195679c48d391bc54618b
-
Filesize
2.7MB
MD5767cea1ab8d5960a9bbd0d6a26bffb7d
SHA1906cba73219f81b243322054eb09158ac471d7d0
SHA256db4ecd6af920432016b513af2e60577d9a44327a8af83a4ce5665e3b669217bb
SHA5122febf3c5c30a4af702157c64fb627a21d02a7841a37f89e9c6d8e8f4fe250bcebfc99f8d4fcf9c1ade396bc607e3ddd8cef908785307fead976b96b170eb2eb7
-
Filesize
1.1MB
MD5b3069aa8e15bfbb90227b97f1952ffa1
SHA1eae9885dc9976a71f5977a92ea1a88cf9f898b69
SHA25689b73f695ad3083a1750dad7f9fffa9cd30de04f6d1e4bc7c2be752560136dd6
SHA512aecf38784c8c9e8c03cd66820e47b6f9d767065d8a67e5343b0e057e33fa1ec6b69b4be77d2d721061c7ec45a303190b4eb571469024e3cc0315885b62761e11
-
Filesize
1.4MB
MD55f7680814ea0627ea8264baea4707661
SHA1f2fa20923383ccb753e423daba6bb9738139fe49
SHA256a79fffabe0fabae65d9077616dfd677ec9ee082f48f180ace3e250c316e90d9f
SHA512d6e2b3cba7d4b06d56c68877a2bbc63c527ac0b44ed5cb76193fc40775bc4808262f099a6e87b7c87f8711d9ca06ef3a6c3b96e612210ef8845b2ecdd25f011b
-
Filesize
1.2MB
MD590eec1b370a4021e0469b719de3850f3
SHA19d642607a4e87da8e7f44ce9038887c98433afb9
SHA256e15ef88f87adf248c0f517b3d5f6b8456293f8237f87d42e9e21431f3264777f
SHA512a6336232306418fa4bf87734f3f894d6974bca530959a2c0a0fef32617fc510199ac70921bdb82520389f70352afa48b9d73cb3e3fac54fd86f0d74d564d0ef4
-
Filesize
5.4MB
MD5ecbac10649fd91ebc169200bcd64f46c
SHA1beae9c092518107a911260180d7288bd40f00f7a
SHA2561533f65fe3c5397a1aed601053701d1e0262dd257e0da62cf7a578463227ff5a
SHA5127e5098545dbccd22eca9a0952538aee9c42797643adc338d178a3c866717e1a456101cdbdf1e0c3c6907c263399113d638f87a3d6e55286f58b2fe50fd95eded
-
Filesize
2.2MB
MD52c895ef0243057558f7a519337088e4d
SHA164fae3c67ee019baac94f643f6f44b51abb5c91f
SHA256fb414cf99079ab0f81900821410d65e23e5819eef86dda03a508dcc76f54934e
SHA5122942779397df308e4d579221eb0548e73f06f647563148d46a9cf19e97b907dc75e77ccf22f8766027c5f3c3d40e450b1b924b7f155482908b7b03aa78392e10
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD5dbf3e0d13657f002aa096bf6361c0210
SHA12979b0413981d288e1107bb3a2aca83bf85b5574
SHA25698ad806386c61101b9dc1ef42d4a84846db214f831e60a8fcf5b3079deed2135
SHA51260936987981cebefd7e0aae5604dfb0a7e95c7933733acda48dadaff71e46b01ff36712f99cdfe88be2c4e350dbe0fb3ae0da7b8d9e7bcb80e84ee369a5c4519
-
Filesize
1.3MB
MD5221c805e1c89b8a7e79d0dd880288a5b
SHA1df42a7f6bb3a6efffd148ec9849d5550fd4e56d1
SHA2563a2ca12114336d48ad167aa04ec290f502565c8d3e6dc043e1009763ad5f6acf
SHA5126aac5a6a1046bfafaa5e9292b7f66b764a7b72648e353a6b62543e74ad9f86d55a47634fb94ca110d20f45fdeefa05c2599f5891f36da0207d129ef74bd7441d
-
Filesize
40B
MD53ea070e60e7d429e1e61c8db38c29e6c
SHA15e299ee911c837db884fb5fef2f5abfe4e9e8863
SHA256b2a5745d6bc2caf9e182d87fe017e223f6237fdd3768705f02a67a10b4cc2d66
SHA512bd55194313210c91259cdfbe4e6cbef7eb74adf00b7bb292cf8bdeb109eab962f8253ed0277461b94fe7eacc644648318baed002cca9af07b27b00e584fb7cbc
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD53e85d70cea746a702d2833474412ffcf
SHA1273b76eccb3f6ef030827d27602f013994ab6fce
SHA256dc9c1a8720198eb9a3c62794c83a762574bb2fb49121291747c9393c9db67692
SHA512c3a8b5120151a9ba8f93e2e52d2b322401e01c903e8dcc837d6b938d1d90b0b8ca2311099c679bbf29dc0f093b1c4670c5306a35b9a9c8adc9d7bf4fe204f87d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD51ece1b8ae02de7e0750bb9774b473600
SHA1bf51d26a3a7879e63af3f95e4717aca9ad2e3853
SHA25623c8392857aad3000d3a358b329c10843f7459c432aa50c6e48f299e1dfa33c1
SHA512be49ef5cd58470b2801e6204227667bc8a9b894409833652e555094db26577e67d10d0bcb785e08cc3cb2ec57e43f6876919ce1d9efc26af6a88f8ae14aaca0a
-
Filesize
5KB
MD5c4ca78dbdf3f2c51a55480a14202ba4a
SHA15eb70de565c0c74bdb93b4323268ba4e83cbb281
SHA2566ecaf23fb0ea8e7021bd3aa3a44aabf5e0088091e985dedfd9a14e7469869653
SHA5127cbc8509cf5e1ee38a01199cebeaa9ec023334ff361f8155866a4ff71416f5be3092fe3384dadc0a730e5732d95a770f3eda1086b13a0edfc2983c802fa58e02
-
Filesize
2KB
MD5d815a154d920aff927b3986ef84917db
SHA1c1c2bd7df2e21219963cc39d302b18173713afc9
SHA2560603be058d7ba2a08d3233e42e5575b76578513ddc7e3cb58fa53fcbc5e26028
SHA5127f7fbc48d9be3c0a935906b277e766261ca8fc1b9eb05542d528bca09d1bd817e6bdce0fd87fe3f56e7597f09595b5b610eb103903a66c2bd79de04cb4f250c4
-
Filesize
16KB
MD5b448f8c7c0d7cbae820c067e874c9e2a
SHA12e4bdddc7a38614c2942f685b64cc67a846369bf
SHA256ede96ffe490e1541e6aa21d0d0e8142adcebf11eff063adc89225c9619f02197
SHA51208e9d396ac98c08f5b85b6e0e76595f8f7a97fb1dee851fda65c49776ee207effeda46a01f31977f2eff8533c6a3d1faa2037f0ae66cbe229ade1549bc3e7a49
-
Filesize
276KB
MD5d7fde44d4aaa8c413777a1468006e2fe
SHA1b9461dbbea0a789f51efacf99631e330fb4239fe
SHA256cf24235830214bfff12920cde3a1c0d02a949e4a8a78f4d8825fb671097ccbbb
SHA51249282e9f31c110589150a3a5413524ccbc79f9f6fe09ade57d135d0d87065a2d2c8bd2e70a6ab7281c7b94e783cf99cf0c723e0d8870d4b772c8dfe3734060c2
-
Filesize
7KB
MD5692a7c069cf559df80853c1873c84e1b
SHA1f23956e3c6f36ed8f8954cecb7b10858b287dab0
SHA25607b41305aed6248111058944972e71421226af3f1cdab32cf4fc52ede467b974
SHA512fbf1b016e047b22335b4587611865c801d299b34b0b1ac085bb97a2eaf8264fbd94b1d22f6d7df5d4b828eb8993ac56febbde584b8ea29549473bde5c41ac184
-
Filesize
9KB
MD5d71920b4fc961b34d9e70beaf1e2375d
SHA16007eea4df5f9acfa682c2da6ee90631f047501b
SHA25668ccabe4f449569fbbd6eb664e2c195c87d147973a5dcb93cced8eb717a05276
SHA51237bd94ce86419f981205807d3f854ff966e1cacc318222ec9ad0aabd137434068fb9b2d2610293bcae40cdc8326618fc1d7853f5d6edd7dcf287b4a878c28ea1
-
Filesize
12KB
MD5b4d60eacd8f612ba3d2233e048347e0b
SHA1ab900fe9b76e1f7af8378948894403e9102877dd
SHA2561f3c6b71b0506b28bd363cf4f9a4cc0c0be3cbb2a2125036d85486c9fff389b5
SHA512b88b02c6cfe6d79ec4764e29699eab827a61d843a2d7f99db49c35ccdee57e76085e3aaa7b6989715ca19f30563d3c2c3e895d2c00074fa70f2781aeff26b242
-
Filesize
1.2MB
MD50f9efa1883e637c97e2b67a08758313e
SHA17c76d36fa3d0617ceac54a30f2f6e428d021644d
SHA2564891ebc7f8a31268beb51e576ec3d35f7d8759dd08faa1cb3940e0b85c26ce67
SHA512bea24f29d9a4de32037c3e9c1bc4ba24acf18772bccdd78e67db07665c6faf643dbe89a8079b4c93e40978e5f7930b878347b639595e11093aa4e403e7b02914
-
Filesize
1.7MB
MD5cdd0547030e40ec2277cdd42806378bb
SHA18fc369c7b9782fc9879a89807df8e5640767e238
SHA25689a4538e0c8f4629c203e375463fdf52e50854cde15398675162ec33e9d7dbd9
SHA51221d5888c6edc5cd2401880fa789adee07a357dbae857a2ff5f3f2aee74d8959c28be0df89b13b3d919c59b5f196864fac7373a79c1e2d3c1cf8d0ae5ae1a1e99
-
Filesize
1.2MB
MD514d3a32abdc697b18dedbfccb5cd580c
SHA1c2d66e00e54c495c64ddcaaddb183b966985afbe
SHA256ec71a187819fa532a0742e7e3eba0a1e9c5176cebc28323df75df72dbcd679a2
SHA51296bb326d418214dd2de6f198d724728522d0a4dc8b32ec4533117f28c64004ae7f6f4792e6869c3e2b69a024270679345f1ccda0df3444d47b4c5b88acc1330e
-
Filesize
1.2MB
MD587d8658bcdf2ab0ac2dbca5a822599dc
SHA174abe202c4ee70443bcda82ee78bfa560d87d42d
SHA25696a65e83eede6c3497b0e793851d31ec315a2821ef9057011e9c02a6e799f569
SHA5124eca2cd67ca6c8cc2c129171a61bba274257d31bbf08640a30455ca0fc23536376b01cb3d020e22994b35cc126b8f420107bc6fdd6c05fc5e7d9fb9cd8d3a3d2
-
Filesize
1.5MB
MD58d604a876fafe652f998311b215a21e4
SHA14742c339168d94d7ee140ee65b06474c287ef37e
SHA256d197a38dc0055f14363babeb7c4b3b11b48456f8762b37262db2adc602297f7b
SHA5122bf4b3e0bd33a5265427455b7811db7775c4f54f3e7a3b7d9a853453454a41b0a7647c4cb7284dbb0fd400323d69a5ebd7bcae52421bc6e11f1b0dd39253b729
-
Filesize
1.2MB
MD579e67125ed8ca64046d4b09e9e7bc914
SHA12817511e50b8d0290e68ce1462b6eac2a9d5659d
SHA2563e17835d94a39b9c3ee620e6bf0fbde5894b7b0dd06e85b75cb613f540f22619
SHA51229b1dc5ed26a423d240622e7c7589e9c35af81e229ee339d43863211c5c87012fa20357252ea10cec42696dd26b5b1876de59fbcc5a8f8d811f6d1c18826d461
-
Filesize
1.4MB
MD53aa9a119b450e99275e3ebc0855b29d2
SHA126c168478a9092fc04f4ebb595d98a861a661063
SHA2561f7f423f9e064269be01ec4e92070f3f43225e0d967d235b1487b3630724a4a6
SHA512bef80b6ff8168e317469e6b4a7a512ca2f2ca9c72abf7287eaadd7b51b709102c1f764ec56c2d0411a38f32982d2f03cba9eef77ca0a12e4b301cece6dd9a3e4
-
Filesize
1.8MB
MD540906e483e4ae65e4569c21c3aa2e069
SHA1b929dc6a01208174d8c2ccee9f20f306b9569750
SHA2568a2a5c5427fff5d4de4dd4b161439fb770c8bc462d96fe338b726e3de8fe2c2b
SHA5120ceed7845a93a2d6cf537bf0f5cf87906e5c770a9f7f16e50efcdea82fbb7c4b5dccd98198a7054fa677b07c934a9b4a8cdb5f6cac4e8b01144d20ba9602dd83
-
Filesize
1.4MB
MD5adec3535e41f85eb853edbecf871ed56
SHA11601187a910445c8dfc4801c3bfe7ef393ac50f8
SHA256a9c2a0e9359c424e78b9aa43345b14208460d51a5026bba24c37422007d3d4f9
SHA512fcd9ecd121e4871128d7e877b4b1b202e24a8a1bec5425d1f3c5c1ebe82b72539e8142ff3dd226facded0482282ef58d5aa2325ee6d5857f113be41af0c13efb
-
Filesize
1.5MB
MD594f2cbafc7f4da17b986da019a8c59f4
SHA1510effeb2748b64981b3c39854fa75c97b9c687b
SHA2561aea609186998a91c9b65636ffe11efec2efed3c4a400fb14f988e3abddcf87d
SHA512d5fc6205e8526197128ee7ac5146a36e2c38662e5987b6b011477b85534754e66c4c5c81298cb9e6f2f5bade8f741d62a3743ab77a3ac75f2466be8f74960126
-
Filesize
2.0MB
MD5e93b4c6040882a638c6b1d54759b2856
SHA1e5409dd02f03eaf54e3d6c2601d0f7cff82d0f8a
SHA256428627aa34d3191bffa25439aed0190d89aeb9a6fb7856742d2542652e98a3f5
SHA512c3e4a243cd2db69ba859099af2c7a47869fd5ba84227b4d681c19c74d3299ae9ce0873e4d31c00cf4ba4f0715935421699965b6f6ffbf3191d2cda183b39a5b8
-
Filesize
1.2MB
MD59a597e2e5d5f1a3060ab2787ad1a7fb0
SHA1c00270e3b370bceb9173545883fa6664d1462080
SHA256477fb07c75cea6cab03852593e932bd6c71c993c46dea8924e4804a6c1b55057
SHA5126f958cddc68e375cd3c7c9a7d2706d8e8368bdd98c402c87a9fcc37b8b472e5910f6c437678539196bbae209d9e8eab9382252b1214e36e7dd6cb87bcbc48811
-
Filesize
1.3MB
MD52eb722a61c922450267b01866f0ea556
SHA1c01b998c17b6742ff87a7f8fcfd5a64c568234cf
SHA256eaf077b8f4a60b8aa35f5b3f729f6c4baed7441df7f02451253a95183516d98a
SHA51224e42d7ae4abd14e1f2f15ffef868cc8c1ad3cbfe333e3c2cf4e5a0a55952762b84496787e7418cc328a031779e8261fcb93dde6cded5361c48aefaaf4b01b94
-
Filesize
1.2MB
MD5c99941d585c4396d5078d57d6b7dfaa3
SHA17c520bd50eee97de2dd295a0d81888841a6720d1
SHA2561ebdede495e654ed82a192c04947727c3305ded497e494f87032f328bbea0350
SHA51268e046c4a1682d0581a05088c98f599598f79a6d9f1aa8362e9c4e33f367298f2ffb7031a61395b7f180ef9d72dfb57be44ea62a85810cb252c4328bf616ad02
-
Filesize
1.3MB
MD539c9d2db9b56a52c51e782fd9f6a2a7d
SHA11325fb1bcff6a641f43efc50206cb209a542b886
SHA2566ca94c3fcb22d8edd9b5d4000174ffcb4c360a981b9f92eb8478c7eaebf08fe5
SHA512bb3e8b8c352925022862783366c35d9494a097b67ef9f1e7080c7e66a06a7ca82e9622d82f4ebfae7044a83b6b231cccb695730a45884b7ca2fedc90cfc75b1e
-
Filesize
1.3MB
MD509526b46e743ec959d86da50bceb508f
SHA186a3606d3187b690cf1bf1509fec65695c2b09ae
SHA25628e19aca265da553a83fc9f81b0ee2ccd3066c4e8f9131c602576df5af96a56c
SHA51281c4736bb319784a08308f935136ddcbeb4310b697f1ff1c8cb7705b350c22635043bc946af20c27995969e84083545b2097c226293090863b8b87c215cf3f7d
-
Filesize
2.1MB
MD547fbc2ffb2442c15a7d168855f020f77
SHA1304022ace048f2b1671fac4d4aa06e48da8705f8
SHA2564682895f9a4f4bbf5bb45db8d51b4381673709f13558b875b4fb87e004566e3e
SHA512775cc83060030f11bc592fd7ff371d6e2b793a020560f49fa04bae55c9090c85ac7f71ea2703b78b46731d48855f14da0ca45c421fd010a41298e68cee9dbc01
-
Filesize
40B
MD536ce2b6cad119c81a528c439949cd5c2
SHA1f635102f17707ca52a99ae7082a91df76d1c4d6f
SHA2560c090de79661e741558d04a5e53e617bf3a81c1bf4fca885509d6297f59ede52
SHA512848fe3baf38ddf286b42c0c9a4c443d3851fb681a095e1311d0a312cb84a6e99aeee42f165d51174de98fa6ce862d6851d5ed3c9eff6aae5d323237f48c9e878
-
Filesize
1.3MB
MD5d41cec667549b17990b4ad451244d50e
SHA1ff7221871b9bc2fe8886162b3111ab6eaef02401
SHA256589c02b57ab6c52a7e809d33bc990a44cff542d3840ce8404c7fe701c07a14bd
SHA5121b6a58c2ba3413281a6ee093e54ad6003e6ea353513424b7cc32c84a1d8a5b5e0b425bfa586297b81bf285ca42f7c11cb7cbde91d1f8ed1b54134ec768149134
-
Filesize
1.2MB
MD5c4b26e0e5972c641ff43e3bf16863cb0
SHA19742e5ba77c407816648f71bc9d8fdd1b2d3f84b
SHA256bf1c5656e9a6982f33795a1c0053f4a79f77ebc14fdc53da3f5daa58d032498f
SHA51242b43fd564982fb59df0e77ce3b32a053ea559095ed6b9ef885a8bb50f40d49760fefb0077ceef834a31b53392e30c8b84db2b75b058b4a14a68d4b5ff761596
-
Filesize
1.4MB
MD52c5561490243fdcfc0559a92214f61f8
SHA17de97457d6a59247fc107b81b0b4de57588776d5
SHA256c80e3a933f347d2803706994ca6aeddc476d081fbc5575d6b7ec15504f3ee20e
SHA512ca0b51cd4d7d3a500573aa9548eb38ca00fb3823020482a9d83a4900cc773aa805689e99014ab0c6013b627d3e70a0ee54fa02230efe97b6e0a155e169e7d4d0
-
Filesize
1.2MB
MD5cdc2a9a27e4e531353aecb8a8e7886d0
SHA1cf3552267b6f561010ba71380e69abdb0073381d
SHA2568b50b4a51410da9b237509d9e9ad07b4cdbae1d89ccf6e9526b468641222c33e
SHA512f2ab5325254b079221f764a79e74df390dddf8e92d40c64869afb82e42bfa638545cff676d18f29b8012a17e680e69034c6b703209ac420817b0064754a724a5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e