Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 18:33
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe
-
Size
5.5MB
-
MD5
2b1aaa003ed82f02dc63f3d80710d7e7
-
SHA1
a8e7c4a2b4d665564a384c148d28d1d6bd021bc1
-
SHA256
8cdb92447a56b60558e54ed12ebb7abdf29a92cb973d3fd8a2bdd40f10f686e8
-
SHA512
3cee5eb48fc609d3aac496cd3437c96a6c4cd637a5be3f95a816235c908da16df52f6ef394ce1e77a78f28ffd37bdcc1008ec1b09745b884d05c9e88ac06fe1a
-
SSDEEP
49152:oEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1tn9tJEUxDG0BYYrLA50IHLGfc:mAI5pAdV/n9tbnR1VgBVmIF+iY3FPdo
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4112 alg.exe 3288 DiagnosticsHub.StandardCollector.Service.exe 4532 fxssvc.exe 1580 elevation_service.exe 548 elevation_service.exe 4084 maintenanceservice.exe 4324 msdtc.exe 4652 OSE.EXE 2100 PerceptionSimulationService.exe 3832 perfhost.exe 3212 locator.exe 1312 SensorDataService.exe 2408 snmptrap.exe 4528 spectrum.exe 3664 ssh-agent.exe 3208 TieringEngineService.exe 2896 AgentService.exe 2056 vds.exe 5156 vssvc.exe 5244 wbengine.exe 5328 WmiApSrv.exe 5400 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 33 IoCs
description ioc Process File opened for modification C:\Windows\system32\AgentService.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\d3f520f6822cf6b9.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011633a69f585da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005fc53c69f585da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096b22969f585da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f877f69f585da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133566427974507218" chrome.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028db1169f585da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 2032 chrome.exe 2032 chrome.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 4180 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 3288 DiagnosticsHub.StandardCollector.Service.exe 3288 DiagnosticsHub.StandardCollector.Service.exe 3288 DiagnosticsHub.StandardCollector.Service.exe 3288 DiagnosticsHub.StandardCollector.Service.exe 3288 DiagnosticsHub.StandardCollector.Service.exe 3288 DiagnosticsHub.StandardCollector.Service.exe 3288 DiagnosticsHub.StandardCollector.Service.exe 6108 chrome.exe 6108 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 2032 chrome.exe 2032 chrome.exe 2032 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4064 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe Token: SeAuditPrivilege 4532 fxssvc.exe Token: SeShutdownPrivilege 2032 chrome.exe Token: SeCreatePagefilePrivilege 2032 chrome.exe Token: SeShutdownPrivilege 2032 chrome.exe Token: SeCreatePagefilePrivilege 2032 chrome.exe Token: SeShutdownPrivilege 2032 chrome.exe Token: SeCreatePagefilePrivilege 2032 chrome.exe Token: SeRestorePrivilege 3208 TieringEngineService.exe Token: SeManageVolumePrivilege 3208 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2896 AgentService.exe Token: SeBackupPrivilege 5156 vssvc.exe Token: SeRestorePrivilege 5156 vssvc.exe Token: SeAuditPrivilege 5156 vssvc.exe Token: SeBackupPrivilege 5244 wbengine.exe Token: SeRestorePrivilege 5244 wbengine.exe Token: SeSecurityPrivilege 5244 wbengine.exe Token: SeShutdownPrivilege 2032 chrome.exe Token: SeCreatePagefilePrivilege 2032 chrome.exe Token: 33 5400 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5400 SearchIndexer.exe Token: SeShutdownPrivilege 2032 chrome.exe Token: SeCreatePagefilePrivilege 2032 chrome.exe Token: SeShutdownPrivilege 2032 chrome.exe Token: SeCreatePagefilePrivilege 2032 chrome.exe Token: SeShutdownPrivilege 2032 chrome.exe Token: SeCreatePagefilePrivilege 2032 chrome.exe Token: SeShutdownPrivilege 2032 chrome.exe Token: SeCreatePagefilePrivilege 2032 chrome.exe Token: SeShutdownPrivilege 2032 chrome.exe Token: SeCreatePagefilePrivilege 2032 chrome.exe Token: SeShutdownPrivilege 2032 chrome.exe Token: SeCreatePagefilePrivilege 2032 chrome.exe Token: SeShutdownPrivilege 2032 chrome.exe Token: SeCreatePagefilePrivilege 2032 chrome.exe Token: SeShutdownPrivilege 2032 chrome.exe Token: SeCreatePagefilePrivilege 2032 chrome.exe Token: SeShutdownPrivilege 2032 chrome.exe Token: SeCreatePagefilePrivilege 2032 chrome.exe Token: SeShutdownPrivilege 2032 chrome.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2032 chrome.exe 2032 chrome.exe 2032 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4064 wrote to memory of 4180 4064 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 86 PID 4064 wrote to memory of 4180 4064 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 86 PID 4064 wrote to memory of 2032 4064 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 89 PID 4064 wrote to memory of 2032 4064 2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe 89 PID 2032 wrote to memory of 3968 2032 chrome.exe 90 PID 2032 wrote to memory of 3968 2032 chrome.exe 90 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 3104 2032 chrome.exe 96 PID 2032 wrote to memory of 1708 2032 chrome.exe 97 PID 2032 wrote to memory of 1708 2032 chrome.exe 97 PID 2032 wrote to memory of 2716 2032 chrome.exe 98 PID 2032 wrote to memory of 2716 2032 chrome.exe 98 PID 2032 wrote to memory of 2716 2032 chrome.exe 98 PID 2032 wrote to memory of 2716 2032 chrome.exe 98 PID 2032 wrote to memory of 2716 2032 chrome.exe 98 PID 2032 wrote to memory of 2716 2032 chrome.exe 98 PID 2032 wrote to memory of 2716 2032 chrome.exe 98 PID 2032 wrote to memory of 2716 2032 chrome.exe 98 PID 2032 wrote to memory of 2716 2032 chrome.exe 98 PID 2032 wrote to memory of 2716 2032 chrome.exe 98 PID 2032 wrote to memory of 2716 2032 chrome.exe 98 PID 2032 wrote to memory of 2716 2032 chrome.exe 98 PID 2032 wrote to memory of 2716 2032 chrome.exe 98 PID 2032 wrote to memory of 2716 2032 chrome.exe 98 PID 2032 wrote to memory of 2716 2032 chrome.exe 98 PID 2032 wrote to memory of 2716 2032 chrome.exe 98 PID 2032 wrote to memory of 2716 2032 chrome.exe 98 PID 2032 wrote to memory of 2716 2032 chrome.exe 98 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc82ae9758,0x7ffc82ae9768,0x7ffc82ae97783⤵PID:3968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1880,i,13897810285090764400,2433721713174658397,131072 /prefetch:23⤵PID:3104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1880,i,13897810285090764400,2433721713174658397,131072 /prefetch:83⤵PID:1708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1880,i,13897810285090764400,2433721713174658397,131072 /prefetch:83⤵PID:2716
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2844 --field-trial-handle=1880,i,13897810285090764400,2433721713174658397,131072 /prefetch:13⤵PID:4628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2852 --field-trial-handle=1880,i,13897810285090764400,2433721713174658397,131072 /prefetch:13⤵PID:4244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4572 --field-trial-handle=1880,i,13897810285090764400,2433721713174658397,131072 /prefetch:13⤵PID:4556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4692 --field-trial-handle=1880,i,13897810285090764400,2433721713174658397,131072 /prefetch:83⤵PID:5184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1880,i,13897810285090764400,2433721713174658397,131072 /prefetch:83⤵PID:5412
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:5624
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6db0b7688,0x7ff6db0b7698,0x7ff6db0b76a84⤵PID:932
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵PID:5128
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6db0b7688,0x7ff6db0b7698,0x7ff6db0b76a85⤵PID:5176
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1880,i,13897810285090764400,2433721713174658397,131072 /prefetch:83⤵PID:5668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4696 --field-trial-handle=1880,i,13897810285090764400,2433721713174658397,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:6108
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:4112
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3288
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2084
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4532
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1580
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:548
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4084
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4324
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4652
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2100
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3832
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3212
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1312
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2408
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4528
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1584
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2056
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5156
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5244
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5328
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5400 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5836
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:5988
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD524d52bf7d94ec612f05790fe87f6d89e
SHA15665aab7e59455c977bdea7f4fc65353752e4465
SHA2569884206fad64e32e338a6d8596b195378e36b50d31fcf2ce9e315c5464470211
SHA5124ab41b16457f100972e47be33a4a088002c99e87fb7e904f2bfcc26948c962f9b6b768fcbfcd774de674ebeab0396b8811b825777576d41ba30edf525699145b
-
Filesize
781KB
MD5783d24eaf5e7987a3baf0d24c431c45d
SHA1c299800a03204bc5ddb0667f3c6b010eae97e16e
SHA256e4c6b61f49f2bd3f539cb5476e2eac8736c49cc0ecd2aa557e97580f9dc38bc5
SHA512275afa82c94b960298c0c9f03c282952693853854d4dba038285c6b96dae7c1e0d549d9751894a382f2c00a3f9f0e6834dc53f1057cfc1753142459296752cc0
-
Filesize
1.1MB
MD5cc94fd4e452284bdb46e55a3725dc84a
SHA119338b2bdecd8a5624f2548bc9ca125ea46d1719
SHA25609420c94ca59cb7c24c82e6625c9a9d0753ab76b6af6db8157927e8568725721
SHA512146450e605ac395c91df2016eb91a5b84b3e2052567bb1847e4495478b9d464f4bba464e43ea78903333865172706f202ca030651262b8d5e6ed9674985d610f
-
Filesize
1.5MB
MD504a23793241e2810098c41d05988f98b
SHA18f0f69c58452fb12c468014a29d315f77abb9e4c
SHA2561a0aeb1739db47b679dda84af643a9e82d23d99fc65f5a55777703aa001d3309
SHA512e72d4065e3e0bd62242eb41ef83439b1e61a01c89b874f6063c7f62ed3c3acfb73e35a01699b4f1cef9cd38137fb181f200d2edb448126a22b582f5a487bfe98
-
Filesize
1.2MB
MD51b4a324a581377b678b8e336f9532a88
SHA1a3956721d35a9b1563ee4df18a9b3b976b34f8c6
SHA256e00354ab7328a4ce74b0fb0d9cb2faf05fce28adf347b0e1df2d9bf0c52d1618
SHA5123acbfa74bc50982171907a16b07b6021f1157f72c80e9415d5687d8d8d6966c106380d580547029b8aaf98ff9c2f5a2bd4768e154e7f88105de05ac83e84bdf4
-
Filesize
582KB
MD59afdba3fa8592920c468ee1d7bfa8e29
SHA1e062b72c1ab24ce421dbb4c0bfa47876dee1e073
SHA25615f1ee03ee63ccae81c92876f06aecba15b5aaf7f3028f2bc5cc596ec1fa9cfd
SHA512599e71de99a842181b42ddbfda901c8e7283715a356f3f92476c0617ae13b14618024769cba19f7d9062984d723ef6ff8be745e1a703395aacbbcd6c95893fcc
-
Filesize
840KB
MD5a0af0ccacdb8fc527f46bc5e72f3d202
SHA109304fb851f2a7b9987783bcf9bc9779a0675921
SHA256cf6585ae75e15d6233b6121ae2321b4c0b488deaba2a877b50638c931ff75504
SHA512f46a2c76a918fa14d6a4adc56b24c9edc6f6063fe18944c5ad1f7f6d07e6ae801af3051a55a7aeeb7174d0081143914608589320fd37e3820c83d4be70809011
-
Filesize
4.6MB
MD5c56e70f4175769a5ecd1ed0777712979
SHA1351afb2f1eff348b0b2b2acb79bab0b1e63f6b8b
SHA256b402fdec841d3b8b695608d089cccef540092800636ad0150abb3a7957c9029e
SHA51256ada80175022746f7647a121ddac727629e00afe9081b18d2dca981d8fd29b213bd089af01df543d00e604c29d64100c036a7e6fe026019b08468a7ee4ee0c5
-
Filesize
910KB
MD5aba80dc564a663d037ec5a665a737b7d
SHA1e93dbe7eb4895e8184924acadfe08082c32428e8
SHA2562db8109e7830ba711ae0cb327ca38df06e5d047fa4b44b3636476f4f582de668
SHA512c88e8cbc77afc8ba7652529d53a5d487c8da7e0bafab12dc0b2e4b1dff05935a7996522942d46349f67c78d4802575c92d4d12e45a5dbcc3dc87d31de3811965
-
Filesize
24.0MB
MD5602b05fb499ba1bd8304249beec92206
SHA15b329d59e7c633cd41958e60189642f1147daa93
SHA2561649879f9475babc1e4fb4e460d30e4acca2380cbfedf158cb72b55b2fb2a2e4
SHA5126109f4e03cb5acc47a290ab66c5ec143721e85b52efd7b0a5c8fc5a64fbf8b7964c4142f4780d27eca4e67419f3e08df663ef72bd5ed28cbd2d9a0fd3ba9da08
-
Filesize
2.7MB
MD57ec1f95f2f6e9440d903a292798c0ead
SHA19472f4ba38bc16a5ee803e22b55e725b84345caa
SHA256567a138302feefa38642b8192c4a46c8825d3531ae47de9c8ef2ea7f1d340efe
SHA512e1ddcd160a257afd11d4cf71f134029681868717726745f74258936f01a290dc66c69a3237548fe595ca574f805b5f5484a8dc6d80ba20e85e90c1f3e55a304e
-
Filesize
1.1MB
MD57ab703814b75b2f1611d118eb2ed2d23
SHA178f86ccb4ef8fdb92d0be5b83b67d03d25d35116
SHA256df748feec923f27a113a5dc924d21edf54cf116c8c784b999d33045fb343cdd4
SHA51226a08abce697e2587b03585daaa87c26e986e3c23fb7776b9cc82eef37912221eb3b7420788181b8b7a7929d474bf4540de575b92ca8b35b95668c490bfab44e
-
Filesize
805KB
MD52352a82dae089a086043806f12e21d43
SHA1939aff02a3230555225f0102e91cacc2e2a86a9a
SHA2567cb04c94a4d87df7e54b84dad091696ed61098c4540df938256ee76564d66b7b
SHA5127c8d5933e90c78a904e2a8a1ec0ddae8e1f6b2eb86febde2ad72e48804381bc5dc34433c9b821e489c6dfa87362983c6050a07039c4dc427bedc83bcfc4d8ef7
-
Filesize
656KB
MD52bd7a9aa8a246073b75603b7ea6a5eba
SHA1f1370c1537e0695dffe5e8676ab538c085f7a97f
SHA2563a51b0667671fe2b3cf450147750b4569e8271097e7e82bdea03c03a1faf6bd4
SHA512fc5605fede10d5f4a0c241b50157bfa86444e9d478ee547f04b7b24235f8139f39b03222743e64bc0e781345645a1b8c5cb90bf83d9f62c43afd08e4fc7c5440
-
Filesize
4.8MB
MD5df444e5d3630490a77b58d6347f37fad
SHA1eb0718eb24a9fb4f1350aa5afacb23e7210c7dce
SHA25614b54b6a11451231a4f6732dc470e005eedcd87e0355bde55d0b14b5a1f35b70
SHA512e9478cd1eda46b3a5d260a1bbfdb4d9ccbceecc5b5b9d3eace9a71f5256313f8e2fc8a55db6e39cc12fbe205e2103afd0b499daf133091e790119e1f6f3f8232
-
Filesize
2.2MB
MD56b319370cb16f9148f4d5ba1371231ac
SHA14080ec4ff62e2f8c54dbb928c7baab8aad10d6df
SHA256c168e27a241db60fd8ca8f7ae8a040b297d5069099283aab00ef7149e13064eb
SHA5125664522a8a2324606f1bc3e7da90d56a18b522b14061f938664d7d3997adea0131d48ddfc3f24141055ccf5531e4ae71889895237d654fc019cd54e24fefb41d
-
Filesize
2.1MB
MD5577e4da6087a72b04fe2004499be63e6
SHA178b60f6656fa222a4cf9ab141f5a174430a7403e
SHA256c048aa98e280ac4b345b2a07419247031e0759a8f8a5911b57de7203638dd388
SHA5123ee0124c0edbb49723061c14b3a7d45dbdc861f2bcd0ee20c43a5e8926bcdd53772d51e7f376dd2de92e3486fd7e1f74906182693b31f2bcf0661cd34fabb0c8
-
Filesize
1.8MB
MD52fd8a42971b726524ad047b13efa8b8c
SHA119054aeadab479cce9c14c2a62f9e32cccc6ffa5
SHA2569bac8e89f9e89c801e33f9ba8d4b82bf4d3a47676dbc00c87b4d424ef590afe1
SHA512744460a79192b049bd76a0d9603d5b39216352d6b50eb3d3c42558aadca68eb759218fdfe768ed07e1b9b0824afc52f45a838f0dbaa0f3d2aab88ce847311def
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD5a7df9bb5cec7421c0984e36afe7f875b
SHA1a72adcb73defa09d47644deaacb1f9c380ccdf41
SHA2569c09b5c62c272b5ebb031832a0b44ae20d9bdda6e0ac243a54f9cdfb76dd64c3
SHA5128c0911d9a4c0d11237b62620656976808ab731297b2cd54b6182d6a66e00f3da17df1d1c2249d3de5272f0d365da36260f721beafeef6fcd8043d2e4cc94d718
-
Filesize
1.5MB
MD5bb2334108090f6d8988b1987a6073196
SHA17eabebdf9fbef3a984e70db3e39a4cda1005cff8
SHA25604bf1a12a37196a98a68daeaa7a8ba556651b1a074ff4b4a3e0ccff9655b2be0
SHA512494397b801ba4f87a3af319dd8248748b8ffa105e841788e5f55fc9706970aa0b5133ff5b58693dbc2edbbda208ac3224504da5f76cfc7c8448ebbc882d56d33
-
Filesize
696KB
MD5628190089b67c1533dc18b56d75ba7f0
SHA1a819b83d07b5f387ce3a7cda21b80d2701722de6
SHA256deb5356190fb5a63b6f983bc693c80c70b3969f800b1c1835c9c511223ec3309
SHA512e7fac81012fb86a8126132e1b1dbf89404474724896300391f84c606869898c9f908fe342db2ba670b2b71d962898f3570b3cb5db66b6cbc787b46e0b9bd2e12
-
Filesize
40B
MD5ebf424291670dda4b391fd882059506f
SHA1fdf5196e0b5d872e7b8e9c35abea4e779329f606
SHA2560c08e7fe9a70023ad15bea10d76035610c1d52a826ac1af4fffb88953e4b1ced
SHA512a9731e463b3a62211a105c4de220c460b3e982728a8630d9821814d3fb774316ec94a37ea8cc1668206aa83ba4b8f42df08dd61255da3b7fb8941eda8adf4ca5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\00108ae9-4c46-4528-9409-a6f0fc280000.tmp
Filesize5KB
MD579ce552596ca63bc499df32fae09edae
SHA1a08a280464ac38fe79ef08264185fecd84ba1aca
SHA256c9e3cb53057b4a444c916c25522c757687bee89d6636e805bfd145bf8bd4a1a8
SHA512a6597c8fff58c315b91c827e6236d678fd53f930a79aea73d398220a54194455f12c15f2d769d3c2868237c62ea4e075516a4d28cdff755c1847bdcc03ee718a
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
944B
MD5ae29211b89a0159901918006a42821f2
SHA1f85320b5cc5b60b75b44e281d5b217113bc4a141
SHA25695681e1defebcc3e6d3e5d710080435fbc82257e1077cb73628ae1659e34f152
SHA512b130401ab791ea9b801b80c920e01c976e9fd3705df0df41fb11f027f27de402bb6fa47f0eb24566f9080166c087b496bb3c5e286c9ba3159c96bf4826c04fce
-
Filesize
369B
MD5ec659cf07466b7ab84d6d7c98e876b84
SHA12fc7c01c3e871bb7b50829fc394fcf6e49b030d0
SHA256873ba55e0fc9b62b8637e3aaf87efa3441bdd5c6c4d0b749de6860ff4990b015
SHA512e83394197cb8a6f3238aecad0f4e184f337726d76930443763fa8bfedea111e01d245d451aca70c7d9ac86df513052ef43f4ec2cf3ce28bfc4d2f419487c32fe
-
Filesize
4KB
MD5addf7829f077d2e9f5006d21d06b5c8a
SHA111d9abd2c4023b356a71ec6688d22d03b7575e07
SHA256644bdc9b67950a975337248db6481719b85cf25aee6a42510834639de1d37680
SHA512f856e1491809254e11621bb8949833ee288406e46df6d1d3f5115aa46800e0f7cf28d126d198b2de2acddb8651351257870a34144dea11e054602de526feb28f
-
Filesize
4KB
MD5a6f011e5e01733365cb1c66d7116b580
SHA1f5695b1cda373ee1316d731b2fd4e81898aa2428
SHA2566ddc5b9f9003517611a0c03c63287a75885462986e613cef1ae6baa0c07f9e00
SHA51237232b1e33a5d3c75e2ae5fb87f31beabfe834769008b51a9d1276a4596e0a53f78a6dd4e73f0fe3916863b2c40752a16466db6120c98cc840e4ec039e4ccc61
-
Filesize
2KB
MD56fe4bad5e77f6d29673dd3adbad450a2
SHA170183705e4fe1ebfd9cfac7c1141d1982d85085f
SHA2568ad9b41fac5669e8a2efcb59587645fffe2ef0494a7aebf17c7cb0781f87d7db
SHA5121221c99e1cfbc36789d3a37b7536da2b16af9b9423642dac9f12e91022eba1e93d3850ee2c80eab6e017dd20e8229cd56f491d824f35dc627ef34eb917c51736
-
Filesize
15KB
MD5fd36fb36ba2c5c9fa331bb7e8b3502e6
SHA12f4a0479067e1f6cab03cfcc34fd5b778985a033
SHA256d324da5182656c1873bb805d73f5c262275e16a1684c0ca865af6ad1a5486c21
SHA5121cbc2e31bbefa3a75e6b3fce6f5fffa9e5b9971edec1d7904593521582a506d0def0fb08a6c3231d00df4415bfd1bcb0f276f519d3ee82094db22da119a63621
-
Filesize
260KB
MD5b4d68765b9ec56628fda11d92f38373d
SHA19f78e098a6bb2f36c59be7411ef0151cab3227fd
SHA256b3144c675f840a91240d64d9a360f5ef5d7110febd2c2a2d23fc09de9e122ff9
SHA512a8be7de6544cd6a38f273e1e8a53d43b5b8526cd6d0db26bf3e88c89efaec7fadd5601c313f260410aeae7178dfb596badc4e555daf70df90afcbfd0d1e0efeb
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
7KB
MD5210404000578cf767ce74c9663fa4559
SHA1163f9f117a53802b54bcb7139e26ce1d25a2e7c6
SHA256f0fee14cf9166ac98672de300cbd78f981bf8f7c82ed7fde8aa13da269041b27
SHA5128c7e52f697244c77b943b48966f5e5bba6050315c477564b3c28589dd080e579b6d8e7bee0ea9a59cfc0a6882764196113a2b9121701e536eddd46a5828159b5
-
Filesize
8KB
MD56883d51ee706f37ded157d502ab8660e
SHA1983972b52eeaca6e12fe6eeeb672eebb253e8a8d
SHA25624fdd219f9ffc9f2f188650f0dc7bf7a523c74b75865dd3cc1eb8a5517c6c977
SHA5123aa6fce2ee841ea05a68948fbdcd4928319d951776e87616871331b366775b30a840a7ab45b00701771cce735677e323415d8d748da0f3099c8a81296c580b47
-
Filesize
12KB
MD5deab6a0711b328040bce91f3e39ce78a
SHA1604a1513e53dfcc416f2bf5c1e3a6419ea1e3151
SHA256be8079d85e1c8e3d4e6fe18c3cdcbbecd20d48967f66e1eb1e49fa3152d2fda6
SHA5122cdc1bd84d545dd75f107d08d7aeec665f78745a4bdf734f91594c028f75f45893f9fa124920188f9809c1b8dbe86785362025bac28fcf6037974a6dad1123f0
-
Filesize
588KB
MD5026f3acffd29aa8bf8f26a037e016558
SHA1a70977f5e52bfbf51f4435ca07914d14a89cc316
SHA2561ca4462cdd5667342901dfbe0db91ed4100af27a0414536cca3fca46f1e0cb93
SHA51270e791e0a1ae59885bb047091dc308b540d971f1e928dac614ebb46be0f1bf16dbbc1c24f321ba710652e8c80adf7dd542330b3619ec5aee5c4cdeb707a8b7f4
-
Filesize
1.7MB
MD5da4ca27ba2b81af8a747851e23801ef0
SHA1497080189bf6c8a3d94363be25af88e25cd40f1a
SHA2564ea25cfd0b493059effaae1138785713e08e832ed81def05c172305cab57fb46
SHA512668c6cae36d8a0634214b57c95b78a6d1437dc89fdb44a297c66207422d9e500ec7c3481ad4bfd8c26690a61237d2845d53379de3f9c681c1309522b07faf456
-
Filesize
659KB
MD51242b4c6028dcf01b19751960fd3bcad
SHA11cc10edff78fa0d0556d10789f4904b1dfacbfd1
SHA2560221bce6cb76028465491ec869884dfca39810dd513c89a241e3f638f31efdfd
SHA512dcab4815be7b8ecf561720f4d4baafd8e597b711e246d014f0e01bdd854cc3807207375c6b53728338e24e8bba142ef532a27b83d3ea03d82d66ed73d9df6f89
-
Filesize
1.2MB
MD582d5a7f3320023f11491e3764d141759
SHA168c7fc36061ecca08be7a5029bddca441c6cca1b
SHA256a9425bcef3c8694439a410357e9f57419b05026cd22e1e962bc6b24bd982b39e
SHA51253f1045dab085098c2c77f72189287689769f1298b2bda46e8e28ff4b25c7923fab60af7ed2dd47b8c44f74a9acd3e082f3e1cc1e62bed3d428b9cdeea999a07
-
Filesize
578KB
MD5048d17e89b127266304be8eb42410219
SHA1ec3effaa47134763be2d234dcba90dad1885a15c
SHA25621f7c262444439948ed2f0935de0738cca24fb220e24af48e08603bd5e86324b
SHA5121ed9e92bb753944605be8ecfc23f07bb102e3c8ed6e0fe80185d043b54d7151a031a60d453daea613310cf4070c5c4e413ac4a19dfb2e8b02118ad0dfd01e9f0
-
Filesize
940KB
MD546b1015515798b97f1b0ca2533622d38
SHA1226604036ac7fae0ed3e4d7e2f6e6255c8592fd2
SHA256cb420a43046440f41ce5037d24d3b95034f6c1461ab8982367f14d6b69855176
SHA512afd3241abf7bed227606cdfead55e539aa560d37f2da49052c4398d0313beda4aeca99322ccb3f5b4787441e4e78302e83a1cfe8c3eaffc3416b56571fc9915f
-
Filesize
671KB
MD5ebafe264dafbf69c42b515f1857339f1
SHA119f94ea8693de9f3f785fc0d7192a5c9e45de6f3
SHA256b3893a270a48206f570fbcef016f5b654e053979610419d07448de5a5126ab2c
SHA51234fae897c6eac2593c3cbd0984b3498d8bdcd0fcb5acff94954fc6ec4162a0098e133abcaa695a0744c7bd71995631d0a745c0b0fe5bf6b00c2914008a8e38ca
-
Filesize
1.4MB
MD570197d2b02604906951536c32d354f1b
SHA182924fa50cf2be6006e619c387124f168530f14d
SHA2567097268f25fa526b648aa4705e4bf912c1aa48868730e8fe32bd7d6f4719e143
SHA512bd96c544e90556025e22b0a8e6f9bb14371feb6d4fda56ab79e2cabc34d7e51f7f6e5671905fcb878463fa1565177a450eb22203590647d9798a7c10f14ae40b
-
Filesize
1.8MB
MD523ed6c4ca4ae153a7ebe7f4aaec1ebef
SHA16a43808d73273ddaeb21b07c7c4622dc87009b27
SHA256cc18656db5538adaff8478fc050cdfec8ed35623426c24cb31ecda580499e595
SHA5120105449e15df0552ad32ab758b5e3bc060d2901d771ccf64bde8607747e8c952e659a829ddabf6aa0fb571b6a3ffc8aed8d0292e026f0fc61c57672bf4f765c3
-
Filesize
1.4MB
MD58d521aa676fec059ac03147a7a1fd89e
SHA14736bc8b7ffdcd963f54b26a35bdbd38d111ab51
SHA2564bf1da6d82bcd56a3c0efbcdd6e7186d9843794d1447fc4ba167a6f0b95f1d54
SHA512e766b74ff6b03f869521b09a7180dddebd6dc41e761b187a223575957fac6dbd0c83b9a58839e26dab6be75614cf1292aee64d28931abb0a6a1510c1d0d1024f
-
Filesize
885KB
MD5425e783da3b3ded81d77711f147bbe9c
SHA18f7f5b60cc9c3c2daacf04f6ff20b74e2da1af79
SHA256e9a0ad72f486e22228bd9e851a8a0f04788fc2df5ee25c808855c221a4efe1ce
SHA512772bf5b3b9bf5967cd2b1711098e0a019b3d3dd3436ab41bab67da4252e4af5ded91c1fca74a0fc2a7f600d576328b2e33ead37b9ce52a97b3c15c95299f3afc
-
Filesize
2.0MB
MD585d5544668e877d1016b36ec97957356
SHA1d5f2eff404c7d370b201fadfafc2041cc56140d9
SHA256dfb64de15578df24ee8368aa9ee4b7a7ffcfe73c9839d7e703f5f0af0518e075
SHA512b0cb1f4babee7fc9b504221d919ef6b63cb6c574c67a570d1d886150ef88a1e61cfcdcebafe155ba434224b697436f043b20b415d08acac4a1ff2f522217989c
-
Filesize
661KB
MD5aeb12b5e024e74695e2a3e98a48ecd05
SHA199905287ab41905bcf0c9bcb6c6e22529a34776c
SHA256a8b03e68c0830e1c0c399956c480e5f6ac208b3f76f1f463e92a67f06135c64b
SHA51200fe6dd5fbc4c46fdc5caca2f9835a007f692bf61158ed8eeed0b4f521fe96b4699d86be0050148391c7c95255c63bf1cfd091b5e2adb979471bb551185adad4
-
Filesize
712KB
MD5bf72ee450255b449300e92a740800e8f
SHA1e6f63c80fc01f34052a2a8b7b07ae9a9fc006a6e
SHA2563d43a70f63e96de07a0561ce93d1d67e4363fef343c5bddffe4aaa26e8775bb7
SHA512b94d229157e762e15e363d0febe98c7d695d927c4a7dab60f20b297d7b3ab676bdfec9df38046f07ff4d6bb489fa59bc490e1197d3b2f4663bc7b280cf71123b
-
Filesize
584KB
MD5b13e49562b56fb1c9bc3de4dc0e87354
SHA14c2a8b0db7425e817219a4fa9df9813d46244391
SHA256febee560da620f26218aebedca439cb7bbc8df54c1588f68a6d928ffba4c3ee2
SHA512e150e87af0cef01073df12c9c5443090322e018b315f6d9504f23a3e0f2aed9d0dacfa8ae89942f1e91f019151ed655ae06567be1630ec70cbaadb8b6e66903c
-
Filesize
1.3MB
MD549e3cdf6a897147b908e6e5d9528a386
SHA1e7186bc4e39ba5bc9e564d379426a191f4ab0320
SHA2566690fae6eb75c7b4f7d2afb39a8b390932818e9ebd322f0794fb5495383fb00b
SHA512ce6a1c4c71c680eee9e311c82ca4d23087e645183736e6fd76f8ac7deaefd15065ee09c6af5b5a5d8684938ac348ccb2d0ea705019cb0a65a9455a6cdebde7d4
-
Filesize
772KB
MD559b009b7d30d34d9603ce008a8e5f930
SHA1fedbb3ac47df5af604f4d07a25fb1af7073f38dd
SHA256cad6832b8e5f67ddf41fc4afa7bc5673643d236cf64ff89ad0539d17e8954dac
SHA51281f5f648887699857b0a91782f1bac6fe1b870a347fe3db1ee2969318f1d6a3431c16353861704daafb34d0e9bbc918d97dfb0e99a1fcd286dadc12710478a20
-
Filesize
2.1MB
MD5432d0d5e8b7678b3c3c19ee85c58cd1d
SHA194fb64e8c17258323ad2778ca6559fbd8dca1d4e
SHA2568dc67b5440925103726f89ee4605eabd0de90a8a6051f1233d30dc086a2eded5
SHA5122a2a43a86397a46fc388d1f6aa74e57dd477d96d4fc32df3e94aa33428c433cae231908e957846a5a842d9a1898c38f40ccda1849ad68abffbe51b7bc5ef1256
-
Filesize
40B
MD5a9192caed8f01c6787ad3bdd1d229175
SHA100c9b64675e398322180e827875ebaa059450717
SHA2564ff4abedc31b5dde5475b74633f6885981d29ad36c7d0a68c034a3a40a7e8d19
SHA512b5e788c1ac18e745d2779925cd6cbe80d65da8f2667d66ffeb37da0748cc9720d8f56fbf55c36fa3825de404bb60741fe85489929c1d793d3365d7766eff8da2
-
Filesize
1.3MB
MD50a9e94340522923a447da0443ed726cb
SHA12c04de18bb4f3ca68c41613eaaa8c54f638b4a6e
SHA2565e93b22b94d17e520438402a3004918de05cfdbcc28ab15f7e5b16b63361c0e1
SHA512768500402b9450619a10a7d1b3e6d5f57ea4b28c3e828fa38d978668dd282aac05248601c1c21d49211d0e9599ee73d31a44410695374928b9d34750e1269f78
-
Filesize
877KB
MD5cee28b3cc9ac6693d38ebf5e061cb337
SHA13986c90f92d1955ec4d4f22baccb99ac908e63bb
SHA256ed0e2d0f778b2921a83dca7fefa1f3cd8000872b44e1d73a3899f1abc76baa60
SHA5121f8f6ce31841a55c51fad1b0e00985eb570b38433a4688b01e4b3466967d0b56fbd483bed888038a3f2fd7abf6a2ebc18ed39932a90a4465fea8eff9dee56cd6
-
Filesize
635KB
MD51a47ce563f0f172693dff3759666c42f
SHA1af99e90841c1d801f001e370f84b969328a50b00
SHA256de7531da82c949a01e014a41dd7c13bfeb77c3f4d7b0e5748de055e50ad9abe3
SHA51288fa6329c1bf990e6ed4fb4617e1d571aaa9b8311904e970703f923866f1bd855a6271cf90c458300d18197da756a07bf1d47b9579e9056cca44ac35fc35a09d
-
Filesize
5.6MB
MD5611ce7d6dc8ee0e5474f8b7259ab8988
SHA1ea99166fb1b797bb95dfc108bf9b593bd8f11335
SHA25694ed425bf91946b2fbe9e8441e2b48bbfd76424441ab9d5eb432c1955c4a1e74
SHA51282f0c26bfeb0660e2c3225739987b456325af2e29357fdbdb61da63b122c81f882f2d790fc5b980d0e9c5b361c40e3f79565692b6fcd0b7dd08849146adba401