Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2024, 10:42
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
Resource
win7-20231129-en
General
-
Target
2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe
-
Size
4.1MB
-
MD5
cedba9bf25b79119af56f4e2cf71fef8
-
SHA1
77e76dfd7aaedad2e048000157799dbbe8a541fa
-
SHA256
5f78910a8f6b9927d2c175399a034383ea2b4c40d11b4253b7775ca748f1aa46
-
SHA512
be764af6856d13380b244d7537d2257bd5269ce4d0be7147c859187b9af5b00cffac021911d662b68a45dfd9055afd20b4185ccc18f7a0ba3dd5d2f85238ed9b
-
SSDEEP
49152:r5Viqwo4KxghcyJLBaSbvviqMjfBV+TFZ1bBzP7n1Y8/17MVfw1QSXm+RFvTCr9C:rBfr+TFFqRlw6a+Kl2/V0cETQ/I
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1832 alg.exe 2340 DiagnosticsHub.StandardCollector.Service.exe 5368 fxssvc.exe 1028 elevation_service.exe 4956 elevation_service.exe 5472 maintenanceservice.exe 5312 msdtc.exe 6104 OSE.EXE 1716 PerceptionSimulationService.exe 1680 perfhost.exe 4472 locator.exe 4496 SensorDataService.exe 5184 snmptrap.exe 5820 spectrum.exe 3948 ssh-agent.exe 6040 TieringEngineService.exe 3324 AgentService.exe 5676 vds.exe 1128 vssvc.exe 1560 wbengine.exe 5436 WmiApSrv.exe 3216 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\19444ac84d74bb6b.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{BDAA48F7-DD30-440C-811E-DBC3EB54B114}\chrome_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85453\java.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c6c4397c455da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000676fe696c455da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b813797c455da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd6c2497c455da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad81f996c455da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000421ff796c455da01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 45 IoCs
pid Process 4736 msedge.exe 4736 msedge.exe 3168 msedge.exe 3168 msedge.exe 5252 identity_helper.exe 5252 identity_helper.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 548 msedge.exe 548 msedge.exe 548 msedge.exe 548 msedge.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4712 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe Token: SeAuditPrivilege 5368 fxssvc.exe Token: SeRestorePrivilege 6040 TieringEngineService.exe Token: SeManageVolumePrivilege 6040 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3324 AgentService.exe Token: SeBackupPrivilege 1128 vssvc.exe Token: SeRestorePrivilege 1128 vssvc.exe Token: SeAuditPrivilege 1128 vssvc.exe Token: SeBackupPrivilege 1560 wbengine.exe Token: SeRestorePrivilege 1560 wbengine.exe Token: SeSecurityPrivilege 1560 wbengine.exe Token: 33 3216 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeDebugPrivilege 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe Token: SeDebugPrivilege 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe Token: SeDebugPrivilege 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe Token: SeDebugPrivilege 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe Token: SeDebugPrivilege 912 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe Token: SeDebugPrivilege 1832 alg.exe Token: SeDebugPrivilege 1832 alg.exe Token: SeDebugPrivilege 1832 alg.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4712 wrote to memory of 912 4712 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 84 PID 4712 wrote to memory of 912 4712 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 84 PID 4712 wrote to memory of 3168 4712 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 87 PID 4712 wrote to memory of 3168 4712 2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe 87 PID 3168 wrote to memory of 2584 3168 msedge.exe 85 PID 3168 wrote to memory of 2584 3168 msedge.exe 85 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 5388 3168 msedge.exe 108 PID 3168 wrote to memory of 4736 3168 msedge.exe 90 PID 3168 wrote to memory of 4736 3168 msedge.exe 90 PID 3168 wrote to memory of 5000 3168 msedge.exe 89 PID 3168 wrote to memory of 5000 3168 msedge.exe 89 PID 3168 wrote to memory of 5000 3168 msedge.exe 89 PID 3168 wrote to memory of 5000 3168 msedge.exe 89 PID 3168 wrote to memory of 5000 3168 msedge.exe 89 PID 3168 wrote to memory of 5000 3168 msedge.exe 89 PID 3168 wrote to memory of 5000 3168 msedge.exe 89 PID 3168 wrote to memory of 5000 3168 msedge.exe 89 PID 3168 wrote to memory of 5000 3168 msedge.exe 89 PID 3168 wrote to memory of 5000 3168 msedge.exe 89 PID 3168 wrote to memory of 5000 3168 msedge.exe 89 PID 3168 wrote to memory of 5000 3168 msedge.exe 89 PID 3168 wrote to memory of 5000 3168 msedge.exe 89 PID 3168 wrote to memory of 5000 3168 msedge.exe 89 PID 3168 wrote to memory of 5000 3168 msedge.exe 89 PID 3168 wrote to memory of 5000 3168 msedge.exe 89 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 --annotation=exe=C:\Users\Admin\AppData\Local\Temp\2024-02-02_cedba9bf25b79119af56f4e2cf71fef8_ryuk.exe --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.73 --initial-client-data=0x284,0x288,0x294,0x290,0x298,0x140315460,0x140315470,0x1403154802⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --force-first-run2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:83⤵PID:5000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:13⤵PID:2452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:13⤵PID:3804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:23⤵PID:5388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:13⤵PID:1336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:13⤵PID:5004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:13⤵PID:5556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:13⤵PID:2672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:5252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵PID:2744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:83⤵PID:5952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4272 /prefetch:13⤵PID:4604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,4823331884572352807,7861710126086203748,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3792 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:548
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc458346f8,0x7ffc45834708,0x7ffc458347181⤵PID:2584
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2340
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3556
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1028
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1940
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2024
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4956
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:5472
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5312
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:6104
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1716
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4472
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4496
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1680
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5368
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5184
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:6040
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5676
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5436
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1128
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3216 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:64
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 9002⤵
- Modifies data under HKEY_USERS
PID:4444
-
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3324
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5492
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3948
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5820
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff79ec55460,0x7ff79ec55470,0x7ff79ec554801⤵PID:2524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
130KB
MD5e2a4d2e1107870c0de145ce2c21cc9e1
SHA1ccebf08cd2c954d5aa8d3012b3e62496ebd84e4d
SHA256a9e9c91739a805199f9dd7a747eede750d8ac6a9b32ba514e15c0ebe5ae52ee6
SHA512e07cd646e3dc361e27460e742f3eda454b15eb07c014ef7b0dcaa2828e3b7969dac1d24911db8a10883e7d64dd89319e9fb822bb8215e7c0568bc0ea1777dbb2
-
Filesize
149KB
MD59383be5630164b976de05cd2a9aae34d
SHA1c14cc3be806a6d39f4956ca6d073345826a62123
SHA2563be853c2d00da53474a9927f3af101b07d43b60cce561901dbb598d6e47d1537
SHA5124be9579b28f5152e9c44d7e2648db37a65531a65a4a0a4a2024f5017244b00ddfc698ddf0b68bc26887177b2fe7983fb10c3ef2360f12a0cca1e9b7308ac46fb
-
Filesize
1.5MB
MD51f9bd22c15322283d4d0addb1f3b2c6d
SHA1173a1cf2294ef9d224e68e7ab13b76be8bce020e
SHA25609108fb4c1b3320af942ce028e843cc810202e11d3a071203353a0beff7152f6
SHA512f1dc649e945583e0c46e735cfbdf06071ba8365a3bdeb429c6572830f5f58834361d65b854ca165f8b264790255c98026bde5ea32906ea9c72721a7a1c676eac
-
Filesize
1.8MB
MD5b007d1666c3edda2f166631fa2443291
SHA1e315b941e6f4803e24e6924cbc734c7d350ba50d
SHA256aadfc8b9463a7ac0fff75de0abbae6822a03dc64ded677fff358b321be9655e5
SHA51210e3f93dc9c5cb5ab985875bd42cbccad1c5af79bb579e6444754955d29ba924276d2f0f3f867022ba360a777ff5e6cd52587706c5e042b2380428d9fa94c071
-
Filesize
1.5MB
MD5189e914af5c383c9a41b597edb696051
SHA17aa23477acc0f84840c6970bd6c30fac91d5b4c6
SHA25641338962b460f57dd1a6f539dae1e57a5554324a14f4a6c7cda6dd5fd8d314ae
SHA51217e106075e78eb12af47b288ab99ced3dc7c6d98292f369b9517b8c380408bd9ac8d4ba3db2426578f2678b0b36afcc4b56490397bb0b1ac0856f201894eea76
-
Filesize
720KB
MD5b3fef821795e73e181fe8942e97d4302
SHA11fd5677b555664f4de87fbf9578ed20f8f8fc13e
SHA256f25398ca3d461b69ac10439e9ad883f0a3b10dd1a18a1245515bb903bb0cfa0c
SHA512ef47885b27c63b968bd919424690bab2ae007c6b988a31c2cd071bbc5f1b1ff1809b4505a899e23331d69d5b60e48a3c82afa1a120fd8280ff419ecab8e1e72a
-
Filesize
1.3MB
MD5ee571fd2b403c68166dc34f6d301e811
SHA196c1d15e4f300c4c9681df642288e6c96ec31311
SHA2568d2c798d7c1abb7d657c017573354d4540db4686bd9fdf7c9246b12392195592
SHA5125b449cd38ce086da429e99b9db8d0e3f4df947e2a4bde864141c5836632fec4e319ebdd2e981b0cefcbe054ade665a574a743d9109b356c31e1f96be01341bbe
-
Filesize
1.6MB
MD5bfe41df0b156bdb9b8f10dd59a30aee0
SHA1da1c2820b7b9d6aaf5a022e9b8a3fc236b3266e4
SHA256e17e9bdabd739bc57d445aa09f0344034aadbb9e2fe54a629c747388cec171d3
SHA5124d3ebe9958cd824b915ab65eac3befd4fd3003f2cf5b86a44d13c854e43a4a024a7d261faf79cc3db2c36c89e618dc8d1d0fc19340562ec6f4f5269b68dc4f44
-
Filesize
4.6MB
MD5bce8059ecbc6f309c12d0493169ec2f7
SHA1f83a81015101cd04d56ffed15e7024a2d544dfdc
SHA2561fa7d7221e8c3420dd2ad1e7106972c12f3640af115685e20b492f069d529bfe
SHA512d25159cdc783d2fe85aba322591907f9f207bdd16c490208aeb3d695d853d35770ac26b1f64344e7e6be7a404fcf750ae1e6603e60644cb89cba9fd6d5781f58
-
Filesize
790KB
MD59d00bb1e067e7306b5e749ec4ed708a0
SHA184d9d446f57573104331ac3640c0cd3424c715ec
SHA25686f32205d18a5298457d875bb911c97a9b88a27a96336d4baf8a3b4fc88c5c33
SHA5125ebe4c5da0584fcd33a4d4f9224c8d11178831056f04d80ffd28b15faac3f325d1f84dc989cdbb6b9faff67ab2630e4dc2b2d9d205753f19ff2a390070304516
-
Filesize
937KB
MD5b4edcf98df24a8562c85e75363255776
SHA1f5cc6c4dfe81dc4e2f0fa3d1b4ae1a979cc879de
SHA25601b5856d81abe02d10964308abebad256cb96399255900f83ca542b80e4c10d1
SHA512c7c5be01772eeb8b3438c8a48bbb898488fa006ab56ed391a38fa5d6b6b906df85c748f4a4dca0476e826d9000ea29019a81170ba005ca12af469b0927ced349
-
Filesize
2.7MB
MD57e9d4c97320adb1c01efacbc1e1a5ec4
SHA1c1ad81f806778f0dbef42bf72200ec010ffbedb1
SHA2562416be6bcb6021bda024e9da7006b37a1e0b0255af03fd3875135adca703e7e9
SHA512e989982aee35037871409f6dc3ec68f2a7329590ad39d7ddc32a374f9a65260cbf469c5964c92c191a62ceb1e0312793f46b85b9c638c11b9c346c39e16a9571
-
Filesize
1.1MB
MD55b00d8409ed8200fb546505dc8654bf6
SHA12c6a81609b50746f4abc833ade0414e7abcd63d2
SHA256f8bd0a1b36fae3cbdb4ed0af064dd79537edbb0d8658fbfa6ae46fb03a04420d
SHA512b9f0d2be2fca030c1c279a0524703e8e8ea4bd828c24a0ec17a90239b75dc72e80ed259c77ce528aa7724ca091c6d49e91b0eaf626de109791020689ded87505
-
Filesize
107KB
MD587ccf99f5fda31623b52351e05f6ef17
SHA1bdb94a5eadfe1ed65445430ba6ce055c28965210
SHA256673bd916ca3a1bdbd6ddb50d4dda7bf5e6429d4022aab875fb4db814296d91c5
SHA512e171ab790bd8b7fd55c358241cde21de40558fe4605c520ae4abaa5ff71af0112100ecbac4f8502b7bca4c4a7da7efdbc7949ce478e3f3373de2d2377a73cc70
-
Filesize
1.4MB
MD537f2ec399301bb62358fb6e8cf3e67a6
SHA1105d67015004d8aa9703e76bff19ce86a8c25c3a
SHA256f03e7868bbac8c5786def68908335c7ea0028487c3d57b8dba3660c2dbb82ef7
SHA5127b8236b3849163e302ba83ae2c2955aec8a217e98955225b96d09f35a464fe880c1ccf9039d2592777fb84313b2a6df1df8eab91b9521a090f3b2f5a019bdabb
-
Filesize
4.8MB
MD546395404267b4b804339eba23548521d
SHA17122f33ffdfc63de7f57f0c46d6098551744a5df
SHA256be604205c67068b2d56e8e348ea950ec3b70de80cac1a066a6f43ed64351baf6
SHA5124b9b0aa86a5bcd0761479a19f16228b9562d31a2367dd1b50f5c9bffba1904709cb50e9106bdb378ff6c050d1a022d0c3f8e1a26e0c197999d86162ea51b5240
-
Filesize
4.8MB
MD57238f947a27938e8c70b2b9e8b98de6a
SHA140ccef17905cb1b07be8a740c0703717d1357090
SHA256b3efb192d2062373413852204071f39a202a372cda36f1f5b51d3c525f4fec3c
SHA5126b1f16b78690609692de2fc86cacc9ccc2c338b90f15cc1ae073a45e65f95ee793b917615a5a4a57ae21d869321fe7daddaa3a948c706c11dc1de40ea54236fd
-
Filesize
2.2MB
MD5028f6f1f1f884ddef638ecd9a9de1243
SHA1f7d3e5bea5d4be80ac65f7ecb3ea33388563734f
SHA2565413d52594e0ea3395fb3c875b29a186f34454274ee0fb70f3204b07c5387984
SHA512246eff7de187492f08df7cd0dcafa0407dd704500a1e123011daa0d9d0027362386126b6c1ca0a9e7da0c06dee80830df5a9ea88f7d04c5ac43841ea420291d2
-
Filesize
228KB
MD515b82c8eb715fd25714012634349d5b2
SHA16b3b60303b222da933423c6d7d1d804ded9fdcaa
SHA25698a12db71420b1a57a797325c535fc28b4ff6504d693e643184d4f5047141fe3
SHA512b749f0e5525fb23f08feb62bb6d8acac538151356ced2e2da087dcad7dd8204b3409a90a8dd8ed7c3bbca60d662f727827787794ec2bb0e277b695b0ad14943c
-
Filesize
1.4MB
MD5cfa0e6060593ad470cc7c6bac3dc3b9c
SHA14a33e2e8d9bd79a016a6627f5e8fad415b027e52
SHA25648e6a4c22516f35da99cbb0da7f14da5f4fff55aa40463a283eecafddd4af4aa
SHA5122b90231911c7f0fd88d7416e8563b356052cfc4b0cdef10ed390282a6beb94f599d7bb07b3ba0a692b05bc75ccd11be25696f1d65f89c88ba549bd7c53cfd170
-
Filesize
1.5MB
MD5464bf2b72b7d9f58344fb2a11349db98
SHA1cdd382b88441fd5e20299f8648a9baf471b7c926
SHA256c8747f4ec9b154a64b331f1dff98a853b60847afa13687275278ccbc8048b59d
SHA512590338a7af4b9e90fe7f2d6a952376964b48f5801627beb37f87e197ad6d4afe55a7486195e8efb651552fc3d813d7cf698b5bbe83260d7f861dbe44023d5513
-
Filesize
1.3MB
MD58a862ff92f643f0220fb830e064c8d16
SHA1acd03c9a1bb746d861ee9f7ea82fe7428b4857f7
SHA256489ef8edff39f0361b61bf0fe76419932cc41ff87daab4c515882bb0768255d3
SHA512532504aac66ee1e0cf87e89c957d38555034cf76b248c5b5fd27077201cd059b53df42ee5e06784f751baa6204d3b3cda7aebd3616cc3d93e30b783418a809ed
-
Filesize
550KB
MD5ca005454a7e7ed4db95c97a9ae079309
SHA13b0de87c3508a477b1c090c5076158f684f66799
SHA256ad6a701b7bccba13f6d9812f428264c65556f13f0942abee942eb672a868ee31
SHA5124e85f050b0673b2daf87d5cd7386983120b6bffe46bf14f78c2a08ed816caaa5cd97f7fd1e1a7509b302d16ac7ab0429e99a3eb38e4278426f42ad421ab86fe1
-
Filesize
1.4MB
MD5fffa101282993c0d89eb83f176fe5882
SHA1168eda956a66aae42bc60924e3e156ec73b4f068
SHA2566380b7aa0331b0361bee7fd0791fce435b01014cff1c878dfce76058c1b91a2b
SHA512df38a406a0145956a72fd38b348bf797bc6128a0a76bba2be8ce6120f0ae7747751fd16f25dab22ee1f5f4d38c044f1c244bedbaf00467147caed1f06bb8b4ac
-
Filesize
152B
MD512f5ea17522d20f57cfc7ed287507d1c
SHA1683a34647d67a7f0db4b48c8e5ab2bd96b1ae58b
SHA25625fe9a74a26f05364d78e4fef7962b5509f562c825da977bf6ee46a31e2392cb
SHA5126ba3e8a3b7eb2fbd8edf13571a7a430b334dc86527eb4368ba3b8c2e7bcd24073cca99677ddffa633643046536bf7c7516076a9018f7b3c7c63a9f2a26de67c1
-
Filesize
152B
MD53e71d66ce903fcba6050e4b99b624fa7
SHA1139d274762405b422eab698da8cc85f405922de5
SHA25653b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3
SHA51217e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388
-
Filesize
5KB
MD500c5725670b5b0910dd999b4fd933191
SHA192d607f1dff5a50540d5e094ce618c34502bfc72
SHA256a034f846d5a047305f32dd7648c65889cc77e0cb8bf0055f2867371c1097b856
SHA512a648e894b72c003691ee0f8ff2eb1beedee4ec361f4b7b6b0f5ad7e09e3d4a3b3a93835772c29c0d4cfd36c8546c88367fb129632d0887ecb2f020b13869c3a7
-
Filesize
5KB
MD537527c592bd7df2eda4d1562aa9dc858
SHA10ba9dec15c5a4522a268fecab64702ca62eb91d9
SHA256e2b0f1969d24a2fe798f38d42349fc35b44f0b0d46995402c1e5b0a2dffa377c
SHA512265b1b157a0e336f16029fec724715c395dfcffc7aa7323abb8345136ed594b9976d9baceedf9be74a6e2b14ea6f3759d3858ec6ab09f6d969b4e350f6f6986d
-
Filesize
5KB
MD58e0afb1aade72e24fd5aa7b91fcc4b93
SHA1c9bbea41f65a321aee6b9856afeb2b1a3b2bc5a5
SHA2567a2652bc9c3fe72a190a20e92d5c4b23e07b0e43e3083d85e93446f3df558bbd
SHA51251267742a0e809262aba3594f6ab50c846dcb009be06bd23a9073b8d68957bf2a3f161a3104686894af8785658a4cd9bbe44001863e2abfacec2759add29eeb3
-
Filesize
24KB
MD51b1b142e24215f033793d1311e24f6e6
SHA174e23cffbf03f3f0c430e6f4481e740c55a48587
SHA2563dca3ec65d1f4109c6b66a1a47b2477afaf8d15306a523f297283da0eccbe8b1
SHA512a569385710e3a0dc0d6366476c457927a847a2b2298c839e423c485f7dcce2468a58d20133f6dc81913056fb579957e67f63cf1e20b910d61816210447cd1f1f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD5aea46a346cc36400f381414efae618e5
SHA10c641bf339eebf6960db1a6541ae53bfc758187a
SHA2569f8c0703cc21e4d3c054e10712cf6b67e3c14646724e3a63b87077e3cee81196
SHA5128a2336016aadae999968c9879e27fd4b5e9a5e355268ffaceeace479523ef25e21778dd271391cc1f82a7df6668454a41dd0095a33b96fbccd3df81fff708cb2
-
Filesize
6KB
MD5789b63c64e945d45c387a5822ec8347f
SHA112b5637241cd0a3410dd8832da1153fd69372e0c
SHA2560e1f6eff8cff400fd38063076098d7529ceb71aa13534d0fb0848bd8b83d7270
SHA5124ba25d3f4360eb489a4b8ca5c1f5c7f02ce8381f050d4d92a6bb0129854709511ba23a03eb05800727097d2634642b60a626ceb7c6b2e5e2403eecc7cc03745e
-
Filesize
12KB
MD5581b1c40265ddc237c01a75bf88119d3
SHA15c1efe15cfeb1c2a4e2075fd7059959275192f12
SHA2562740df4f3f9dabd1122313af887a95e1915c79be663cc165d95715378c8a53b8
SHA5127b78b242800027607a895091df9792366a323e1be28d83c4c654153f1d7e6732f93948822b6ee1d74bef2f0268ec8ffb4b0c1239c0ebfc31bba3d55779dcf167
-
Filesize
2KB
MD5bb63e3e3a897a4ed23896203dcb362d9
SHA13bd17c1a3137deb1f48e36b043f6e2ca051da924
SHA2567e3e2bf73a00059ac18ff38229f4fd60d837e27d43d6c14a477dace05040ef1f
SHA51230c8960d3a238e32a969bcd5140c6447736573a891e8221d7a25c0ea67ee4bf66aeb55241b268d1e0b31fb9dfdb14309e57a8ac980a67e4a07a78c6b850ca2eb
-
Filesize
308KB
MD546be019cc8c5b59aa4a2857da6d76311
SHA191f1f961ed5c2b4aa1cd37648a4ce332bb37dac0
SHA256e84e3be2299170e99d792ea9f3f6b2823879abb7387cce444ae1484477d70e1c
SHA512d4cbbbd14d186382f4a45c2c8be71494ddc17928f37ebe9e3c1e52d2c46a68d0189a7f9ff9199d20c0f9b05956a69480d420a5a0c948abe18f109e11e787dfe1
-
Filesize
5KB
MD53627888209ed080ac649471d682b8bba
SHA162a2c3c537ed5f72f7e24ed444232c3fc628764b
SHA256a8cc3cff2c5709da83b6bcac460556358bc5f9fa012bcff488d8bfb41b75391a
SHA5125ff4126fc5931de63b271c5d06f639de9006da4215ee85bfff20e37e0c18222c55c6d5cb86879aa82a9225054ef17dc26aa8d3d6f20270a3b5b64b9610e2460b
-
Filesize
865KB
MD58350370f3a276d66d252f33571ed39ea
SHA1fe9ba2675ab9a757f5c2c66b6c950197184aa555
SHA256a2c5ba2dba0eb4eb2acfdd0bc739041d9d287d56a2b2b601f314825ddae3487f
SHA512cd01a8c5762fa9284fb3c508eb10a6261d3e83d5be87095e55fffd085ed8a328a22710f99f791586dd4f459f3d97d997576c5aef1d8baa1ccd808c2c138ef883
-
Filesize
418KB
MD55fe1bb9113f0573e6539bb323e64e839
SHA1545e665296edf3d3bc176f669bb4d99251d00dd3
SHA25674cf2aa543f3c794adde5e4311aa294d3105d24c39b37302cb0a15eb6c3c9ad9
SHA512ed7c42407b6eb0258b23c9e0d313cac081df86921980d88db66005473a0d12ac2f5bcdb345c729ef434983e3ba2c906c4ee0e1a5aabab12bef0cc44b38ad6926
-
Filesize
257KB
MD519b8e2ab6eebf64ae9bb8da53022789d
SHA1ac1655462753bc6837111ba8eb6dbde0f8aebe53
SHA256bf2b0f348d29aef0a21286703b4bbe810bf0766ea0716041cae0d28b75b88e00
SHA5128f83c9e8b54ce066c95a592483d370d01091673b9783c602edbb4440630734ca472921e7ad88251d701cb455993be48a09351d260fc0f1b40e23103bcb9af470
-
Filesize
1KB
MD541b0919ec80e408bbfd8f3b6f11904cc
SHA1e1ca0e811f93f427011b68babe2488eefcdbc2d2
SHA2561f29813de80a743c022a2bd9e4c0d300e990a94a854b048cee0aa64a86469a33
SHA512fde9f3532970980a6583a5d319fb335141b87b2faa3fc3203ee2413ca3af6b188a7a68b416c4191522a8a05c2172ce64142b44f5c7993ce662a7fac1e9dbd858
-
Filesize
194KB
MD50c17c47e673dde89649790e0444b7415
SHA109246c2d1d15257d483d52bc1e892c5b34888858
SHA2562a3bbb59eca7e54f6c7a3579d3835d924cd48cb1d0412f6f43da574950182969
SHA5124519281d5e120256c52986a59d4fa94605a545525f964b2ccab69b1a53a17079fbf00f7ac2e9126fdc63dc6ba7bb3e559bf98711fb45abdac3fc72d3165d1783
-
Filesize
1KB
MD55cc772186cbdd234e31edf493060cca0
SHA12573bb4ceac8ce7322a767065b5c2f2dfa649243
SHA256e6b60336cea388477cbda6d72cc984b5010d5b8f88a611c86068a4cba2bbe9db
SHA5122f4847af6723f1d030d7a5e7cc789743515eaf651770812faf599e92d746393ab390fbb1bf4c749bc6db8519386b77c6d1c94b085412e0f4055e17c3ee52d7a9
-
Filesize
52KB
MD515a3897fe635fe62f80eaef22ab5a397
SHA1e052fad65dd2be268bd33c53468b4a79a36e4f03
SHA256c153441ad674757320717c208b9eff3167200ae39f9c6e55be9296d7dceddcef
SHA512e9e4660dc2919a7838fa6b4713350111cccd8cb8cd7f98f5c642b5a91ce2a1d46ba8df495b76ea68bc6d22efb88df740e4a5bad6c14c46b16fd9849b96cb769f
-
Filesize
274KB
MD5f2faa25970225d4106d0409f19024dc4
SHA1e8385b2c4f4c19e204515c404dcdf4a20c698f9c
SHA256f33efec9b0fe7667fdb8bf0c971ececf31f3210c64536bd47336465079086981
SHA512475ee48f9466ef39298e53d7cc86f7236ede1d015510ed376e2ab41271ebe2c5e8d28ef3336e3e032db8388d283057e3a25c480ba83dfc481d7f6c4af789ce21
-
Filesize
773KB
MD5bc22e8778c551bf3e6a16f2bbb05f931
SHA1fdff26b4f9110495c32a6bf41fc6b0fb33b9cc50
SHA256be62a0bc6fd23850dfc2f3ff3b2fa0158c35a563a6860c3d63c8fe226aa34a62
SHA512434b37d7f24fc435e8a4d40ace400b687ca42ae89f5a7d4d58e00fb2858e3d610db3e9cf3469a92d035733186ca366f9cb4876c0914666fe1ab6b4222bfce1f3
-
Filesize
101KB
MD5e547c8f07c8be99c555b2ee7126e455f
SHA1b08f23791d19b83393c2646a2b9ddbe214d927a1
SHA25610fd09e34d2350c064efa2b130c25213ac0417c8892695c7873e672cef1e5b1d
SHA5127cc34b940c8bed3dba38563dd5c1a6b4a0e60f8a860441a945f0ac40f630faab1f4fc23818d8da600da472b4c04e271afad1a4d868d3b6a1fe1d2cdf95c502df
-
Filesize
205KB
MD5f6e414724823fcf8c56930074795d224
SHA15ae5fe99bc62fe9e685495c011f271ad60cd15d4
SHA25623f186e2caf1f7cc3f47055a25e5310ce0e1bfaee3f11d614dbdc144dd357787
SHA5127f225e25518cce15d6aaf8c534a34a8ab121c092dd2413f4b3260f90d97329bc8e129bf5bc54119a9155fad8ea9dd0ac7d643e8ba2dc66f1c2c25010835b72e4
-
Filesize
39KB
MD5802eb094b4299c15dea2c8c0f4f6477f
SHA109c6e8c3399b1d5ee4cddb8df5d0348848332d22
SHA256dc0e4b1e29745c84834098a58fa2cf7b6a54cb9763300447b9f4d09b5d07dc65
SHA512c5fbd64ec946513df16731ae1f728c2c02783601cf5e49c0a1491752b26f436d413d71318246af991d53b4c6c6848c31163510acff2b6a85609f0196ecfcd17b
-
Filesize
310KB
MD511f03d468c30884edeff142d3ca3fbad
SHA1db0082ad5dd717f5522ddd523f3eca63f151eb3f
SHA256e03fc701d9f1d7c5c7ae2dd00f001b4f321ab003316a1dddd77eb7a47f03807e
SHA512ac7820c40440a711755e0cf3bce50b46e92b26db6ebad97a44b4a7dd982eaabf919a0405c2d60f30ff4c9fe5454fc67cf85d09c64075311addb09c69cf625c9e
-
Filesize
142KB
MD5b3a1cecda6c9fa5d1ecc65095949f358
SHA168116cdc54cb07ea2694077bc983c893a517bb8f
SHA256278a7e26beff8d5c26f86fb60c2edad4bd34d2bd68842d53caba60a56bd60cb6
SHA512f2da080a180ea96f495058478448e4c13e5ec3a0fe435a914a60868f62e1877a5373f027ba55a3b5d3f3c19ff87f9a9245734958dd122e50db75afe7a54d6777
-
Filesize
33KB
MD50877b9f39ea5c60e037ea0bf862f3817
SHA1515b149fc84ac540e5e34fa7d57a7ff7be834210
SHA2560dac3c965664e1360d0d97aad3ea20c416b6ae7af7d9710f6e8886401ef12e47
SHA51223f21f6ed14c689c14e61aafa985cfe34f1ab299e9dedbbbd54d8beb40f3a77a72bee7285c3655dbed117fbfa2cb4895bc61ceaf493167404e36a6c8ebc017dc
-
Filesize
115KB
MD5ff36cf7f2452018e3099c3a276e66cbe
SHA1e04bb1f4736aaf868fdfcd0a0307e28068a82d3f
SHA25651030bc812dc514c799bb4258b41994e95e75b001286da068ce5740d9042b681
SHA51250ea255d9b6e13010729866126d3954e97ce7bc8f0797ad9abbabcc85c72247ffeff999309ea16dd5d24e3751366dff79c62c6d30ff62b1dda9a020635d5314a
-
Filesize
168KB
MD5097f580a13f4807a05dfac9fbd992328
SHA15bfb132f87fcdfb0da30cdfde930edb9ee417d3b
SHA256df95701ce8b65a2ef1f640fe28bdb9debbbbde41e3db3331297e217150f59b89
SHA5127736de6f916955819f4fabcc284efe5a74941099015b444cbfb72215056ed5fb27ed834dbfc861e00f268fc44392239343216ae0df4072b4cc9193c782b94445
-
Filesize
59KB
MD56f4ff6ac6a75a60ee029545c91564c5a
SHA1a6c8bc973db9227c2aaf8562862bb9e70fd7c7bd
SHA2564e33e3a38a2cbfa612750e3d91a52c049c95b67d787d95288cd2b75473fd68b1
SHA512a0ad3ce46838b1e81bfa11a7d56cf041d07164651fb89d558d5190e79a1e1bc86bbfebb36bc81ae8b07d3aa154ad1b4053867a5e4da80ea9f0e17ae46793ae24
-
Filesize
808KB
MD519b56a1068ae13e61789ce65103b1964
SHA1c01552e14a33476ce90780b8746a7885de1a055f
SHA25613f459da65f1386fd27d3afba63397b036efc8ff50eca763d07dabb46d44b335
SHA51202d3b6e73aaa5e7bb8fd8bfe8400882853e385ae67bbb3b4581638871d8800a19319efc88515f9a6fd106f87aea09a9587a834be3f51173ae436e45697f5b845
-
Filesize
1.3MB
MD5da79aa8b74ffa5f173c80f6048f6471c
SHA17cb8f1e9d6772c307b5dba1421a539f43602ef73
SHA25620f3a1a065eae3a1cab50c1854778ccdf903d0c9b07b547cd3fa31e18d127c9e
SHA512d0697972d3542f333354f7d83dc3ba0f659e6f3e84c37a1f73925aaa65eaf9c18e0f0c703d2a757f32c07c57a3559593ccd527eed9b3ab7e5854a26b6a0d2e5f
-
Filesize
661KB
MD508f80cffae4c5d9eb585e03683c2d220
SHA13a701d33f2a9165633bb7035d071c0f38ce82c36
SHA256abdb7f41b339828199dc5485c47b0c96d504aa8595d0a6517af11c3430d36bfa
SHA512c51f29ea49f4a4604ba55f33d27a3395f2afd5cfae5c8b3a430587892e6a346379e6b25c4d7fd914b15d28b4d8e7d7a0e8ea1ad612b532e46eb2eb2eb65ef016
-
Filesize
494KB
MD5f63ae6fa40ff8d1f1ba5db9cc393a45f
SHA1cd9bd6719dcd0b15cc0247a287d2e4dd273eb276
SHA256f3be035b546d2a26770ec6b8174ba5f3b4b016eb3667868dd1d34583705363dc
SHA5120f3cea4da62e61976f181c968c168843abaa63451fda673261fdd6510fd1ceee85bf5801f9a9f6983a08f191f68eede9af5292e3f81e2bfe991eae8a71eab80f
-
Filesize
995KB
MD54ad30272b81d422d0ba14fc213b50c3e
SHA1e8a187fbf7c903e78e307503fd92e100adcf492f
SHA256ea01c8ae857aef5a28297875c660ba53459a740e450f160dc7c2098081c61fc7
SHA512d9e4c4fe0e229f026db23b23fc80924bd2440b0475a85548c1a2a278f5b0958971ceacd9d3179aaa428f74cb1d990e40e270078bcb3500a669bc7b5d9988182d
-
Filesize
5.6MB
MD58824195bc015684c2c30f64e9d3c1872
SHA106ec0fbbf845fa07a4b43d1a810308c01ee8d89c
SHA2562ad328a95b511ac1a40304c87765c4148d9b94e2ff9f66cec7cf7f918fd54f42
SHA5122f0aaaa8f3fa3daa00b273153bf1add84deb5b1dd96099d80b9fbb51ff4c5e3ce758d5ddb8928171f5fae0955fa40177dceb1072c376a8849801db760720f26e