Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
29/01/2024, 06:45
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
Resource
win7-20231215-en
General
-
Target
2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe
-
Size
5.5MB
-
MD5
94a1a07af0661c7685a9234c50644230
-
SHA1
2d59b799eb1e92da12510786746169e69780ae46
-
SHA256
ab5ac6a0caa858c5e8ec58bd98a8600999e149d04301c37b83914eb76974727c
-
SHA512
1949e49444657d8ffbba9e990482fde5138c8daf33ddc47fc4cb98891effbc9ed1f4c93c5e09201f7b5ff5a5938ea55b435de74a27a31ee8a2494f06682c44de
-
SSDEEP
98304:IAI5pAdV/n9tbnR1VgBVmmDRSf+Aego/gR:IAsC37XYVDRS2ngo/g
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 3020 alg.exe 4364 DiagnosticsHub.StandardCollector.Service.exe 4228 fxssvc.exe 1960 elevation_service.exe 2144 elevation_service.exe 4944 maintenanceservice.exe 2908 msdtc.exe 3320 OSE.EXE 1032 PerceptionSimulationService.exe 1564 perfhost.exe 2972 locator.exe 1264 SensorDataService.exe 4352 snmptrap.exe 64 spectrum.exe 4548 ssh-agent.exe 1084 TieringEngineService.exe 5212 AgentService.exe 5260 vds.exe 5316 vssvc.exe 5416 wbengine.exe 5512 WmiApSrv.exe 5620 SearchIndexer.exe 5868 chrmstp.exe 6096 chrmstp.exe 5336 chrmstp.exe 5944 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 33 IoCs
description ioc Process File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\cbd911bc4d74bb6b.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\vds.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85453\javaws.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85453\java.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c8e6bc77e52da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000275ad5c67e52da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003df24ec77e52da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e15b3c77e52da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000735451c77e52da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 532 chrome.exe 532 chrome.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4432 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 4364 DiagnosticsHub.StandardCollector.Service.exe 4364 DiagnosticsHub.StandardCollector.Service.exe 4364 DiagnosticsHub.StandardCollector.Service.exe 4364 DiagnosticsHub.StandardCollector.Service.exe 4364 DiagnosticsHub.StandardCollector.Service.exe 4364 DiagnosticsHub.StandardCollector.Service.exe 4364 DiagnosticsHub.StandardCollector.Service.exe 5864 chrome.exe 5864 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 532 chrome.exe 532 chrome.exe 532 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1372 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe Token: SeAuditPrivilege 4228 fxssvc.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeCreatePagefilePrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeCreatePagefilePrivilege 532 chrome.exe Token: SeRestorePrivilege 1084 TieringEngineService.exe Token: SeManageVolumePrivilege 1084 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5212 AgentService.exe Token: SeBackupPrivilege 5316 vssvc.exe Token: SeRestorePrivilege 5316 vssvc.exe Token: SeAuditPrivilege 5316 vssvc.exe Token: SeBackupPrivilege 5416 wbengine.exe Token: SeRestorePrivilege 5416 wbengine.exe Token: SeSecurityPrivilege 5416 wbengine.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeCreatePagefilePrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeCreatePagefilePrivilege 532 chrome.exe Token: 33 5620 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5620 SearchIndexer.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeCreatePagefilePrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeCreatePagefilePrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeCreatePagefilePrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeCreatePagefilePrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeCreatePagefilePrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeCreatePagefilePrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeCreatePagefilePrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeCreatePagefilePrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeCreatePagefilePrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 532 chrome.exe 532 chrome.exe 532 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1372 wrote to memory of 4432 1372 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 84 PID 1372 wrote to memory of 4432 1372 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 84 PID 1372 wrote to memory of 532 1372 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 136 PID 1372 wrote to memory of 532 1372 2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe 136 PID 532 wrote to memory of 2028 532 chrome.exe 87 PID 532 wrote to memory of 2028 532 chrome.exe 87 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3588 532 chrome.exe 133 PID 532 wrote to memory of 3236 532 chrome.exe 132 PID 532 wrote to memory of 3236 532 chrome.exe 132 PID 532 wrote to memory of 4260 532 chrome.exe 131 PID 532 wrote to memory of 4260 532 chrome.exe 131 PID 532 wrote to memory of 4260 532 chrome.exe 131 PID 532 wrote to memory of 4260 532 chrome.exe 131 PID 532 wrote to memory of 4260 532 chrome.exe 131 PID 532 wrote to memory of 4260 532 chrome.exe 131 PID 532 wrote to memory of 4260 532 chrome.exe 131 PID 532 wrote to memory of 4260 532 chrome.exe 131 PID 532 wrote to memory of 4260 532 chrome.exe 131 PID 532 wrote to memory of 4260 532 chrome.exe 131 PID 532 wrote to memory of 4260 532 chrome.exe 131 PID 532 wrote to memory of 4260 532 chrome.exe 131 PID 532 wrote to memory of 4260 532 chrome.exe 131 PID 532 wrote to memory of 4260 532 chrome.exe 131 PID 532 wrote to memory of 4260 532 chrome.exe 131 PID 532 wrote to memory of 4260 532 chrome.exe 131 PID 532 wrote to memory of 4260 532 chrome.exe 131 PID 532 wrote to memory of 4260 532 chrome.exe 131 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Users\Admin\AppData\Local\Temp\2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-01-29_94a1a07af0661c7685a9234c50644230_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2dc,0x2e0,0x2ec,0x2e8,0x2f0,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5864
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:3020
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4364
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc2559758,0x7ffdc2559768,0x7ffdc25597781⤵PID:2028
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:544
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4228
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1960
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2144
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4944
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2844 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:11⤵PID:2108
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3320
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2836 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:11⤵PID:2444
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4764 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:81⤵PID:2376
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1032
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:81⤵PID:3376
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1564
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1264
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:64
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5212
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5260
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5316
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5416
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5620 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5244
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:5736
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5512
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4916 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:81⤵PID:5908
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3692
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4548
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4352
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:81⤵PID:5216
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings1⤵
- Executes dropped EXE
PID:5868 -
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x290,0x294,0x29c,0x298,0x2a0,0x1403b7688,0x1403b7698,0x1403b76a82⤵
- Executes dropped EXE
PID:6096
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=02⤵
- Executes dropped EXE
PID:5336
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4040 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:81⤵PID:2000
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x1403b7688,0x1403b7698,0x1403b76a81⤵
- Executes dropped EXE
PID:5944
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2972
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4104 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:11⤵PID:776
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1960 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:81⤵PID:4260
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1896 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:81⤵PID:3236
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=2316,i,16279485378386856057,2983055143035540548,131072 /prefetch:21⤵PID:3588
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
130KB
MD5be11a676500ab24d5b51fd4e96005ba4
SHA123348b11a8e4d7487bc15aedc795514679100de1
SHA2566394f15f2bbba3c9d2a2483b0dba29015f0f753c96fd1ec08d1bc5db3a3fa993
SHA512fc082f6ffb02aef0bb814ef7d3d0dd62885f30ffd150e4414418463fcdd734a617a81ffa6b510dd4980ceb3f6b94a3629fb47469e13023130bfaf4c70e8502a0
-
Filesize
95KB
MD57ec6bd0f47f8cd8a9e1e3675883c0588
SHA12ae436a1587c0de1342afdb0fc73f33c9d5407f9
SHA256ea2a9f7bd5060bf418ab520b7be0e11764acd6904b66c22944e2a780efc5ef86
SHA512ec5bc27c11e84db6eee9e4771ef104e7ee81d69a3e5cd8713a1ac058ca00748cef529970158391eb4b9cc645f1f6fcd6ff767d1de21234cf8da8e1a00e1b88e8
-
Filesize
208KB
MD57d274548c5eba791a34bac459d7ea8ac
SHA15ca3f24a5cf33d84fed830b8bda68c77bd6db28b
SHA2568173b794132cd17af113cde599c0f48989577e16133711939ba1e82207907e51
SHA5125fc358a062680b8103bf7b1364293d8b42db1cae84079544582a381267398fc7deed50dd5bc6df14ff3d73a3f5070e9a20583d5734f82827c10690fe4accd43f
-
Filesize
441KB
MD54e21007522ada3fffb0e5f4b5c72f1f5
SHA198193691ae8e62d3ecef440efcd8a70ddc6f0dbc
SHA256c1c4cc6d11300bc70d6c0c54f2caecb42db386f3674509de772949ad0a7c22fc
SHA5122f9cd57cbb293103f94ff5c14734ef72c85766e01e239a790013138bc079372e0e8d326597e9bb45b3c02f5d3e0321ab9e5d57a56c917d7664f9fda377dc1754
-
Filesize
564KB
MD577b50a2817f51e2d3a739c3e5fae45e5
SHA130268574bbbd74a2798d770b846fa1fbd26d788d
SHA25617e8b67186c56f92f1e11dfae300cd64896ef3031a7ec1c7d0d4aece626d84ab
SHA5123310cc696b06353969bac1d9b2c93f261cb9a28032d60be1652992c4876f26ede0a3eb2f74fe5bb7559978947febf0763a48c344b5e269b1807f712c422f8617
-
Filesize
366KB
MD5bb254362fd530357dfbe568b51413a9c
SHA1e19edeba5dca00fc7fadecbd6dc45da551a43dee
SHA25675ace72f4884ec4e621bcc9340eb4da3f0f1b1e5fce81d23ac0df7d24f3e2b33
SHA51246787a4317b47bb303d8e077f3c90791d1ada1c04b7748881daeec378a2b299e6ae037bd454c2ef102f4889374ebdec771e8c71568db5878b94174ac94b415c9
-
Filesize
519KB
MD5cb5078b88e836f767218f086fac611eb
SHA1db59296b18e1c08a2073455f62337d31a280c9cd
SHA25670cb429756080836eee679a7049a343d4bab6b6cabbdc404e7a4826fbe17822a
SHA512beb70ec97cc7297119167767f27d1eada076354f1e8b44733aabef208d52dc1008c4516c18017e189d1ad017284f25804b962f253ea90046997a5defca068656
-
Filesize
454KB
MD5fef010b528854d642b566de3f35d3ff6
SHA1514a1a7150bb2831b451d565f34b7b4dc721c2b6
SHA25660acf5128f01fb636dc0b86575f4d9bf041e6d7bba53b09c8bd1502206b90afc
SHA512f42da095e392187eafe24d283733eb4d3f6f46c4430c3ba02a0640a651def2abbf48e995c01a415ba18d9feba5855c8d0d79c101365bb6a8a953713364aa1e59
-
Filesize
384KB
MD5e605c4d0f53796003ed4ff7fa771c2db
SHA15f2d26ea473b5caf29deae704e88ad847e8a3a53
SHA2567747fba27c6ac2fa9d1d5ac9a508632184c28271e6816d9abc6a98d293bf1239
SHA5129df9e14c56a012118c2a1b7f94fcca4d22af7259106c9dcbb2c004d17855517c0204f230ce07dd3a1a5fca6b19cb0603267da2dcd4969595a6dda03353a3f178
-
Filesize
389KB
MD5349390887e48ba2e65800e3d68019c02
SHA19f638330a5ac991fd3125c3bde4a30c4eee6425e
SHA256399438b1fd0a1dcaced69e579bd03c7d53b6825c40bd20dffe7d2823fd587b8d
SHA5129fdfe639bb835fd868d328a8a6c8e29ff4e95aee9e23d47937c978ed7e43c02c5a4a3f14dcb6c93679699caab64914e8af668e297147ae45bc14ae51a56b8440
-
Filesize
388KB
MD5dc6592a01a9efce4fb33e317562e048d
SHA1fbac3c529400dd342811bd5b9431ac82898756c3
SHA2565f7f7a50ef6bd0797cf0207f2ab782ccf5d11dcc132ea00184df855721384b26
SHA5124379d5424ae51d45c30c484aa184d6006365368e017a1aa5e30d7ec9ed83ad48e3a2422f2992bd161718d8c7173bd3142583255a98bc193a36b9ea0b419da932
-
Filesize
377KB
MD52c3af5c23c9ad8447414c958c9843443
SHA146576eb9447adf4569d1618e2d9f796269a507e4
SHA256a32916f3de8140233f80c636ce1605e1559b55d0b951fae2e8ba45da55f5ffd2
SHA5125b2c73a5f3cf773c4a6da7032b72a72192cb18a5d699356b2c9050a3c42afc84050cb9ea6622710f7bac9c78fc5244e33f2d7647b74cc2c676f16a1c36d02ee8
-
Filesize
405KB
MD5d3b21616f3716c8d60ea174185e15432
SHA1ab031afeb216243fd32cf91dce0aa9098710e9f2
SHA256f2139ecb293b7b8fd49963092b0ddbf91cd2a2b56cbf0be90292ded12cca132d
SHA51248b2e2c7bec4f4112ba7bbf48c717a7bd1d9e65faf728687e5b580a335222722d9a97b5e21dd2a3db33a60ce0ed5c42d8bb69a80a76decc4218d0fd565c3af34
-
Filesize
21KB
MD5a08de22e0e3d8040823222cd5aa7dd45
SHA16da69b47276a1252b9ad4c9677a01f26173c4f5e
SHA2564b2a5ab884576cc99a5df65744a5dd89ec78618371a3ba9faf07b6ab1e3c3bba
SHA512c3a1f5a05ab9b287300daf74ea4b0916e2c1b1b922d9464757913dad078cdfad34a5db7834522faaa612e755918dd600288934fc7942447bf40f9d3c0e1d4ea9
-
Filesize
325KB
MD50c76df2ab0249b24c440b38f157754a3
SHA1ecd9e93f14a9b9e60fca20e173e9b74071c69a90
SHA25666aef226cc0e60cf64abb89958b48ab7f76d103a2f9f08ce953c21ab099ca4c6
SHA5122aba4c281efbd98a9b926f1f650abbdf8c43f4e92f0046b1230254177867ffcab2c9eee0cc7984819191a0ce506133b44114ad0d974abd44035a43aa19ab2d3f
-
Filesize
169KB
MD5d7a4d22abf87b7e863d3e8d3ec5da86a
SHA1a20c3e3843a039967284228ac50e5861ca879e6f
SHA25636094fa333658bd6d4ee7681d308bfb0ffecf1faa02028bd88fc96e4d4d2ca41
SHA5127b2bfcf35f76941c15318c37a87fb6380b9351bd338f10e6239b030809bfd1ca6b7b2d95b16486e9b78384fe625f107a33d2a1bc621e76fee704c134dcbd0a0f
-
Filesize
17KB
MD57bc7a9c2d76587742245a7e85d739c07
SHA14d0cd6a3d9d155a6fc70910465898334f22821d2
SHA2562e0016b2904af27c4f375deef4de3560553bd9c0e8b98130be51edbcf101145c
SHA512cbec6b6d708e285f606c587763603a6b7d8b0dbe99ce4723163380f80d6ecc937e023bf57ed7e043ae8824a60691d8212c13c888f78c646690f26d4128697cf4
-
Filesize
24KB
MD5c6d1825f59e7b6ab82fdc44bd8fdaeaf
SHA1e4c22de5ed398caff3f1c431335b408744c3012b
SHA256c411134b037d765d0dd0ee69d27b5e1fcbdab8a486bf101214f2a29bffeab9e9
SHA5122e6d9784882c7648cc62b171fd073d0ca687b9a6c8bd2ef4f1e875c978d402fc80ccdce7e989c5565af539957aedc759231b0967de60da828ca8238a83c09723
-
Filesize
142KB
MD5e1b91f6160f141315961aaf7eeaadd54
SHA1f2112ae54e82fe89cbf7a6f5df4022b5bf6ae2b1
SHA2565430912822afb0f47015be4029524b5dd804bf7a78455e37db75cefab40ae08b
SHA512b4e78d48eb2263421d2339dcd592c1ba7ef86da6d0edc5d00b1aea34de6d59af51d502b06dc07099f74800056313541d090b5bea846ea158156d5425baf124c1
-
Filesize
33KB
MD5cfba62f03d7e8354f04e43f8de51f108
SHA14d1f404049ed7e2f746ed7747213e07f1fca096e
SHA25645ccac4633776d5606a06be2721a5e23d4b0e9be46ab353f33a9282cbd4b8157
SHA5120b8a64c5af4467e1d10de2d44d2d8d9dd048e52070ed181108308e497caca367c30533556c9d1245711c64e36b5098d97f21bf2d81c9df87610815af08d798f5
-
Filesize
45KB
MD5d59f32b5da6733609e80cdad399cc2ec
SHA11ee2a0cf38682f4f63caf28359b120582dbd8d32
SHA25632b991969636d8228551e9106248c94c6d517b5f9172d730c1ea40af750cc4e4
SHA51299ebb07b92c87b753db54a698155b3d0208ee67ab684cfa639dcd9cd46465de1aef078183ebf3201a16c1234173da77653357158cdfed6904e6f6f23c921cde3
-
Filesize
198KB
MD53ede6e385071536a3faf88b7e8bd7cec
SHA173f750e03612f9c70de59278872d21726451cac9
SHA256406de3ccde8096f774abc41c967a32165cac4f2ba00adbe735d84d9775bdbbe4
SHA512b0dd856014788d3be1f89ffcd8126ea77d0915aa7c10fe282b7649257650d1c7f4bfc200ba3d3eb1f999528a9b0f2f7c7e6caf943c7e388acd779f0405f44bd3
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
218KB
MD50302725ecc92a4bc602a0a683343c8de
SHA1729fcb08a7c1d935d0fceeb3effa976845c67c94
SHA25694daf7b6906758a4aac12b7b4130ff3ec145e454725d5a13127c2af5ab44ee03
SHA512eae55ca56c6d4aabc2cacb29a2432132228c6d9eb9cc684a218ea6510d4a5ed3a578622d55a47a0a8aef3acfac46d271507924b918a28c8f0c437829c907f82b
-
Filesize
40B
MD5bb2cdf82802bf69b297c9fae3fa48e85
SHA1f26dbf7984929197238377b2b3e37f974447448d
SHA25629998264d3f24068d6705e32cb6306f042797a0025aaebda57b3c581a49be0c7
SHA51200535865805747cb5fe10f4f67872b52e94fd0ce51937f94a7662254027919b13df4af538557116cd4a8002afbeb295c601a79d5e64c8d2d2de9cf377eba1db7
-
Filesize
34KB
MD5b6035b97b704d2cf49f3c1ccf80b5ca4
SHA1f236f8c344248486f675a40f6685c3f715c7f5b2
SHA256f3de5ee5abfcaa271c5acd3702b687a1f6924e850c0be91c930286f9f0da2cf7
SHA51265eea816e0e26127f0e067465f0164686e651a44be0f62fdf4a36bf225de3cadfe81ad8a6181b6990eb58953bcb91f093f55755644406ed54aeac5af0f6bcdd5
-
Filesize
1KB
MD5006b06b00e43b68c8b278919efdd266a
SHA1c1ec9162b635953b2d6aa56fc57ece78ec082484
SHA2566009760160886ccaf3da6f1101ceddaefa877558c520d18609db32e9c4de33a0
SHA5124e1d716b94353b6a04939a8975b45b529fa3b5cae6f63b9d127e047403d4a05813573aa2c48ebb476e3c9fe0293385a13f767f4e1b42c4b669d0f96876528d65
-
Filesize
371B
MD5d0e490f343c07dfb4a79a0cccb420cd4
SHA14c41d82fcb2dc789088368a7ac442ea348b90d9e
SHA2562fd32fa452bae831d9ed0dcfa8a80264e2ce347d4e9c01409689a26a9a947049
SHA512e05fa3a6ab8a17717c13e457f52289e70bc07c104a588dbcfeb9f8826d379bd6951da0ef2149629b0a17b4939571577146aee711181db425c51938729a5c6cbb
-
Filesize
4KB
MD562a8b721b4112a3595a1054899cdcfb1
SHA1aac146439dad10b6195c909eb98aed4a068d598c
SHA2565f3a087f5c0fd9155603954a16afe3589dcf98af5263ce13930f049a96c50908
SHA512992457a6da1bd51f2fe2d0b236b897899245feb32393811b11db1c522cbd0fa1d0ab85994c05556a110fa98ca86567606f0cb487f536ba56919251b2f3b320e0
-
Filesize
4KB
MD5419c71c2a6116bda9119b566a687d8cb
SHA16a7d5962483de0f6a89a54c2359599aba4cca241
SHA256dcd3d59a2c6a13c5e933be7f6ac505e9a04959480c7b060ae9a4f6aea482a82c
SHA512b67ba2f34909b0dcdc9c39d8b7f6ced584ad6eaf683d7cb38e65a05af5d6cd5098422911d89edf56cbae5d5d6890ec529ba8088250133c0c70741b8181ffe4f8
-
Filesize
5KB
MD5189ec801c434e9eadc199eb72441000d
SHA19b224cb944b0feed2fe086ce7a4dc223a2054fe8
SHA256aa9604c8a5c3fddaf39bea9b60bc7e137d500b0ad48dd8da98c66dfa0358293e
SHA5122482b02443c9a37212903f5f5fff4b5a53548c93a4444a49d39a94327682c7bfb06f64c6265004576c8f4cb974e75aaeb35bfd97f58a2ab0b5bc1e256e4edd79
-
Filesize
2KB
MD5290e9802629398a9ba56cfb50ca5f135
SHA13baf9a4863eb4a435da55f93e82a8ebe7a9f0106
SHA256bd3b2b7f2fb53d7f94ee52219c2d5bce2b8fc511ca64df36236ca30e77e74f2d
SHA5124eb9a305aeea0b1bf7659dd87c24d251cd182b456b18b776f3f6686fec05586cc648614b8d9090685b7d023d61dfba1cd733d357e1b3962e6be9789b879f7772
-
Filesize
1KB
MD5b5f0fbc7427bd47ae3427fa3f9eb55b0
SHA1406a2851aaabb258d293a74a970d3b760eac61ca
SHA2563b6fc0b507e856d3454b8099bb5609e3b878b2287b070e16cfe3af6f61250002
SHA512afd543753bf20dafe51b5151c09f0ef4c5a033c0607c6fdc40f31da2efe6fba2f94f45db49b857b08576977d90c1bd7822a34c3c74d3341285caa2ac50c3860f
-
Filesize
103KB
MD5f433686cba14fbf9cd6887dec413ce26
SHA1f00db82825a6d84283090920f4df1fe2436e2f8a
SHA256b6bca614279cac360f2eb0364e6544f40a543704e6b26c7ff241d456f3478150
SHA512124fcebdefb1014f16c1977ecaae494dddf60556d2d7b4656cbbc463d7d0240df5025a04a3621e9f7bd68c54fd93f60a1865737e9176ba33c5d414f6f60cf595
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
7KB
MD5ef6a28aae6c12801e402767120e0c4ea
SHA1d98baf335f3452a2d5267e61b69e557a52aa8f57
SHA256d87a7f8dd47125ab440fd08776066e21b56dc4af3179a41427abc114ceb46ef4
SHA512b366acccb33d7c0b5f861f0a488b7c6c2594656af3cccbcb41cd808c645e283a07153e499342cc58de2a7d3824a873e681bc3ade44d1ef45122facbba05c8242
-
Filesize
8KB
MD54c06716279b1619b66d45222324337e2
SHA1b54bc2f6326c1d228d162bde6aaab456d36afcf0
SHA2566d7259381c69cb7663c3a6f6fc162886d34a6d53e01489775397a21fe5292358
SHA512df4f32bca67333faa00fb9e99599ac48655d4765902cb904801c243379727d00a2a7f5055e6670fc4c93601a49a0b93b2e7d27d08ea01d42aa83bafe2656387c
-
Filesize
12KB
MD5694d67f6a015c9d49f500935cc699a22
SHA1ce6d19b1d0ac0bb3b3af72b55bb82e6d6414f751
SHA256c07860401aa6d141952641292f29fc5860cec3d64f655de6f8204e467d75d725
SHA5121270655c87e00d709ba40424fb71e49a6229e6257be1dc6ca5b26d99ccdb0ab6de87045dc8f97a9521a4a6b9af034adc4103c040308fc2c577861c22829cecdb
-
Filesize
18KB
MD5bdf5900c9d14330c5f301bf0acb97d0f
SHA1fa81d4c93ec338c8305d5a2a7ce7658a6a55b820
SHA2562345b95f28f44a66104bb18ebfd1c4ba6f504e1ee71147d1d46ac79263e21865
SHA5120895b36e6fca7ba92704055591867f336ab453421f22d7df5077129f6c956f54e41c2610ea8646be231816f29ac38a178434873fd21ba5ed81d7c2cfc89d95eb
-
Filesize
96KB
MD5e194214974a458fd1b6bbec696170d91
SHA18bc76d217de8691688c6fa98ef6158b665da9f97
SHA2566800a3adf2d79ac91471bfd3f83f37b9f3de6cd0ca2e727f4f6b9fdcbaaa157c
SHA5121e27be4d4c8528ef8952f551415174cbe06f245f82cc810e2c64bd1fefb43da67b02dd1d0b498468fe3ab0b10c390d16c887d9fdbfdd4452852bbb56e68ad175
-
Filesize
416KB
MD50d821fa407d01916fc68bf01b2e66819
SHA15decc774860ce2fe8eb1867aa75201f394a707b2
SHA2565c8d6ac08925635abef3ccf09e62ea0fa3e61433daa98f5f549736c67229f504
SHA512346a325b18996d25ace5c23f47584e4e3923ca42f6f2e7c36557158a0a43c6bebbad5fc1638bdd664fec0a3ab3f626f7f79ec9d578e489baae2ff2140de0be85
-
Filesize
141KB
MD5e5ed26fb0a14f10be75bc34ed966aaac
SHA12a164305511a47b0ca717b8086f28de05cbd45e3
SHA2565912b1941932b105f87a3ffde99a0e67724e662b5235505936e71341c5e03158
SHA5125fd7f769ec7e921ef10dc25e95b24b15899e28b12536ff3864a1abd079f2eb7d0d2a35faa5cabafcbf4e63298325267773ecd165fa28aa2074e4522ec69eba11
-
Filesize
47KB
MD510d885dff4bcea27dd745907010caeae
SHA1cde60db76231a373af2122205b9ace6adac42104
SHA2567e0302bca5131897f1302ecfc6f5bbfcf858584da7ae674641ed0097575fe988
SHA512d4c1aab3275b1c9417b89e35c27a83dff8df5f5132ff21a395f329a7dab5b6ff16161a03ba4c991e4475c387b27bfe3c15002abd6d2031a5e75780a6dbe15f68
-
Filesize
61KB
MD5cb07528a3e59a1237f4057c2b3a6bccd
SHA1eba04c1886bfdc6cceabb4d80dfa7363ca9b5178
SHA2568c86fef53d45320e2c638ad3fc9c9fc811f82c704195411b02c08c9ac9f600e6
SHA512a0018e36003f7bc74758eba5d3967f49093bc28e3523f3f99c24f4dce2bfb7187ac1b97526795a159d87f3cf10e5b94c4f7cfedaad0c4fd59a80ed9d673f308b
-
Filesize
176KB
MD5015d028654152fcd5f8e33ec3d9ff810
SHA1091300276dfe13f1216929d125b33ec3708b8452
SHA25604ba3a9d6c28e0b735b4980e94d51794e5a94c183e0155c0654ef2dd01b33183
SHA5120062eb4f4bb09c12ec4900b6f90aa8e2f2aef2746e28e374408242dca8ce65cd8e7538babd224b81942cf99c4c47868288a7ee31367a0059b055459f6bcdad11
-
Filesize
108KB
MD5cfb92509cb6a55ed797b747d628f6692
SHA1f7aa303e2d7ac39a891fe6229b27cbca7cdd20d5
SHA2561fa621b69193ff9c8d3a33dea25cdd581a0ad1f2ac503c42a795e5cd36cbd4fd
SHA512b654dced271b9e7757deaa5b9d541e890c34c86ac5b5058b3580873c128cd1b3435cad2def6c4d5fefabb25498c87fe24c6795f93deb544fd7b3ec965b71c1b2
-
Filesize
100KB
MD5641e8818f3245b548435dcd3802957e3
SHA1d048ce68758cc797b3ab3122e5e5b58561c76758
SHA256417caf44217087b36cc8f62f66fb2201e588504bf9517885e91244a434b03484
SHA512628aa55701d518bf54f558b3f614d555a47f3057a30aa3e95ccb5191e452a0f9eee61a86706f472706b7a490f633893c0519b1c464965d599c62876f81fd0bc9
-
Filesize
21KB
MD59e051e2611880e2fe23819631b8464c7
SHA164727778c6b7dfe1a6150f08f2a513fd8829722d
SHA2565798a36e08ef3488dbc1d29bcf65e1cc7ea34c443434cad905cb8282a4aead24
SHA512b5ff951d795721e3f880983cde996fcdac54c6dcc92b3fe004193a831819dfb019fe5e054cf068c5af3c3dc474bba8085aaaf8d40d46e7cd46cb15e50dd3415d
-
Filesize
684KB
MD5def16a8fdcf4a5c9e3af602cc1e7a74b
SHA13e5df3d16f7ac650c3a7a0b9deef0394ab0b686a
SHA25607225282cadd6dbf2b950c7f231657898e7c070a1369b104cdb58f2647d096a1
SHA5120fa601202ca94213e65c06f8d9ff0d0acca4bbde2386b29e2e89e442a260c144aca518e5104c54a37b7d9364823099258dc1dcbb70d5df960b1bdf92f35d02c2
-
Filesize
107KB
MD51b8d86af1014b6b413db710f5d3ebff2
SHA18c145a695b20f758a28962c8b6fc08b7d65fa494
SHA256fdcb1a2d171ffe248cc835509e1c43278d409de23f80ba43c9566a3594bd041d
SHA512c3e7dded24fef8e44b62f47bd4150e9a02fcbb938c37dfe6479f20f411e41593a3fb36e42896e154ac622ef612267044c4bee459622df4aec7f4a098733a9f31
-
Filesize
155KB
MD5cbce59abf6dd0190675e76398b0595ae
SHA18de4df72c32865f73e1a8a7aa5292cc86b84138e
SHA2569d21e0423bb8ed2eebb4c9dec7085ad72bacb70859e6e2531d498bf4e5acfdfe
SHA5126f10f497200318ef15b1954872451271d502698b99998fd1cea15eeab1f1aa634cf7f7589fec1c761c70bb03cc0017e978fed209521954cb7eba77684a37ad1b
-
Filesize
48KB
MD5f5fcc6fc699b74b07e3dac3a6ed52329
SHA149d689bbeca12cd7dbb2fe59de0a98b7e5324b3a
SHA256c023b17b60d4e31e08abe78058d7a3fbc807c827520b457481a7090ef19c35fe
SHA5121a84939758408eecb83fc3793431edee61a51c5be52d88aece0d47b432e62c9ff9acdb864f3b0c3bc842edbdddc40370b34b2d02adcfaedb27e8a66783860d2b
-
Filesize
629KB
MD5c8320e2de83b1e688dba51f620fa2389
SHA1c06b6f1cdf831cee9a9379c60ce60bb4ddd0062f
SHA25601e8a25d22ed251e558c07c68cc5c08766953241e5d7ba642f9eefc50ee2dcfd
SHA5127b749c5b5af633256e85c0b4501458db45b9837b81b79977cccffec79efea7cf5b6a748d7abcf7a662f30512e7dc93935da32b1ae2c7a8fbca51f363a29a0a65
-
Filesize
335KB
MD5b684cd0a62051c33df47eeb341a39652
SHA133e9f91807d5d245cb02a89a841e12ec88a3859b
SHA25625e68e473f074fbf9b70b8a2872b4c47ff42a770ed06748b16949fd547428bb9
SHA5125a456f5ffca5785ab7296b637ea865a0868d9977f3708a63da7efdbe4da40e2d79d507962c778f11ff19dffca6771c87530d5d42ad8120cc6b75ae0ec12779db
-
Filesize
41KB
MD51e3860cb3a8777b4379b83c3fd0fa7b4
SHA1e53ce3d3c7ecd6d97fe8fb0ac6c93dde352cd1f7
SHA2567f4cedbb846f73117a53f362cf0aef89f9397890e44cbd0a6d3de1ad4ee75b31
SHA51205976e3df9daaf2634f19c3536e8514cfb07d2b8b842cf2f5a91ce607d881a3b8aee3719d1cfc7deec744227895cf60a689879ef2c9d8da62fd4b14d611b5141
-
Filesize
157KB
MD5d73376a9befe0fe8ea5021d789870481
SHA1c8b86f89b5f9975681cb1016206dc410884cd6de
SHA256e8089b985499e614663a57b55f7c3373c245561535f4744d019279966aaa6d46
SHA512af8e74126b0a8a265a15c62c164501f04cabc961410c0e607a054a0d870190dd5eddac8df0fc538fbc550faecdfaa0f0a853f8a36119411e8889a04c96fcdd0c
-
Filesize
109KB
MD533c515b474a90de91d62d13c40d14792
SHA1e731950b113c7aac825835817389c37f7757b40b
SHA256165864511f79cc3860aba2d02a6882c00047aa9e58733beb7ddf5d6aa3416f41
SHA5120524b0342da80b186c2f5639dee8e276e6db9cb5874e8aafb810f32e647334a4789b8d809e7023879fa6740d2e1550fdea10b721fe7bb189760736404622d033
-
Filesize
34KB
MD5dfb25069b9f6a8227faa4bdfba17ac9f
SHA157484871b5fcf5a503dc5c85cfb2404916c3be0a
SHA256813e7cb83d395a84cdc831513f554e82fca7e516171473c862ed6e02b4fab3e0
SHA512641c80fedd1d945884444f0c2f24ce03de257eea9d6033da3c63ad4c52eeae6ddf9cd4ee4b27246325bc29f8cf9b13be4ae5ab4d61179a6d6cfeebd91b987c95
-
Filesize
40B
MD54c673548cddb6b082f48537ce42f0278
SHA17077489247ee9e8640de79562dcd484db9f950e5
SHA2562727141051205cc7df3e821fbc031eda6187e568a3507ee24d00062678d9d666
SHA5126ccabdb781dc8ea917193221ee4a0b8b03f573eb0055470e68a5eba793e5a501a48ea3b0044780160ebd922b13159a23ea8f9c07d8956d612216291573bfdbb4
-
Filesize
647KB
MD56c29fb576dc8d033679dd54a098b95ab
SHA132542e7cf5e3d7c3ad93896845b551a3183732c4
SHA25682ecd0514581e26bca061bf9c36a988a4b87c91fb766820a0837a4a1eb775afd
SHA512741d5a30bbad2300da61b4dd9b632257e8764bbc03cfdde501423234ca67990c066621657c7ff852ee0bf63f3469c62fe7a957a125e1b488fcb615af8fbf35f1
-
Filesize
320KB
MD5009e05d04a82cec03859dd71de2f3fb1
SHA1373971e2c2ef52d39d1ca8601b36b865e1944c03
SHA25687e3cc2e1a9a5f0f5a676d348205cbb97b18bf9ea8b131bb4a63d9be29e255af
SHA51235ec12a8823aa0f6a8f0e16f1e8d0a19390c3fbac3b818c536b3e527b911348615c7a315d7c27e37fb1c6dcc8b4305f39c5c229b3a52b86b1bd7a6a8b99a9e62
-
Filesize
357KB
MD560f83675359df07811a05645015b5ff9
SHA10692b22a3cd7b2fcbca7dfe5c68a661600982b1b
SHA256d90d98da209584a98e8f5178d8c4abfc2a9721654ee4ecf9491f22720e1862c3
SHA512ff3174b0b8371edf8d5b615e2897b80838216b4605f7576c79f250be018f8a961c26205ee18e8e06716d182f00a803c1119c03e37a2b614b7cc10138adbc45cf
-
Filesize
1.2MB
MD52c191bc949cafa16da3afa28ff4819b8
SHA16a4fb93b0b145d0dccae605f3b07d02460036fc4
SHA256ba2bd8f27de02d8f11312e636481f54d3cdf7bc129571aa1ae07d9b54ecf0e4e
SHA512df0abebd3ed4a8f7ff363d8350f6ce6dc1281ca3e8074499cf283489a65e5e4d9663e90cfa0ec9c37644481cb4a7952a1ad36cd895db3172348620744dd7595a
-
Filesize
637KB
MD51faf836fe0395dd023f66da85c82e546
SHA1beefb66856e2b51752b42d51d731d9c7e63d6405
SHA2562e45ce9f3faf487acae237c1a800ce45462fb266d29969665c9e346789ae24f1
SHA5128ef021d15407ade56f610bbd3292fb2f246e53c52092a275aad450f237a15871ff7503bf9262670e336b3b43b19ac6e8551d50c45c7d13cc00e9ef91aaac7da1
-
Filesize
222KB
MD595ca3b3f36d78b3c7732f01890a5213e
SHA1532260ac22b0f07f4a6dd43690e80a37b72094e4
SHA256df8a71d3ef5a09b85c2b2f9e473d7f5dff519a70026bba0072b8bb3671f4980e
SHA51246a234b4aab6502c84aa55d51f60929872a096726d2c3a2e8d36b45dfd25747ac585aab9a81dd995933527cc7dd0115f17bb742f11a4ec9d933cc6cd1424af8b