Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 18:32
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe
Resource
win7-20240215-en
General
-
Target
2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe
-
Size
5.5MB
-
MD5
2aed1d4b2925d3720d19fb2e65e7586f
-
SHA1
c1a4439a56a641bd40bda40f1d70ee4a245c9828
-
SHA256
1df377120c034be98bf681678859d9683f330667577f404ba6b53df55d40d83f
-
SHA512
92f2892b885a69b17a8b3bd93dc39fcfccd3da10bbe700e8f0f38c201af6d2e735a837196702d91526610f000720804174aa98c53e1e5288e50ba3c09e23b409
-
SSDEEP
49152:AEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfe:OAI5pAdVJn9tbnR1VgBVmipAhQ1CNvi
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 3628 alg.exe 1484 DiagnosticsHub.StandardCollector.Service.exe 1836 fxssvc.exe 4792 elevation_service.exe 1476 elevation_service.exe 2956 maintenanceservice.exe 412 msdtc.exe 1032 OSE.EXE 4876 PerceptionSimulationService.exe 1368 perfhost.exe 2728 locator.exe 3152 SensorDataService.exe 3108 snmptrap.exe 464 spectrum.exe 1156 ssh-agent.exe 2768 TieringEngineService.exe 3496 AgentService.exe 3136 vds.exe 5164 vssvc.exe 5264 wbengine.exe 5320 WmiApSrv.exe 5388 SearchIndexer.exe 6136 chrmstp.exe 5644 chrmstp.exe 5888 chrmstp.exe 6012 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 33 IoCs
description ioc Process File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\bf4b12e946f975ab.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{6A1BB60F-884E-44C2-837C-FAE44753B873}\chrome_installer.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79656\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c7d2d255f585da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca69c554f585da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000119f3c55f585da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000119f3c55f585da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133566427610418103" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b5cdc55f585da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025ed4a55f585da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f8b14f55f585da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca2dca54f585da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 4396 chrome.exe 4396 chrome.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1008 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 1484 DiagnosticsHub.StandardCollector.Service.exe 1484 DiagnosticsHub.StandardCollector.Service.exe 1484 DiagnosticsHub.StandardCollector.Service.exe 1484 DiagnosticsHub.StandardCollector.Service.exe 1484 DiagnosticsHub.StandardCollector.Service.exe 1484 DiagnosticsHub.StandardCollector.Service.exe 1484 DiagnosticsHub.StandardCollector.Service.exe 3152 chrome.exe 3152 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4396 chrome.exe 4396 chrome.exe 4396 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2760 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe Token: SeAuditPrivilege 1836 fxssvc.exe Token: SeShutdownPrivilege 4396 chrome.exe Token: SeCreatePagefilePrivilege 4396 chrome.exe Token: SeShutdownPrivilege 4396 chrome.exe Token: SeCreatePagefilePrivilege 4396 chrome.exe Token: SeShutdownPrivilege 4396 chrome.exe Token: SeCreatePagefilePrivilege 4396 chrome.exe Token: SeRestorePrivilege 2768 TieringEngineService.exe Token: SeManageVolumePrivilege 2768 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3496 AgentService.exe Token: SeBackupPrivilege 5164 vssvc.exe Token: SeRestorePrivilege 5164 vssvc.exe Token: SeAuditPrivilege 5164 vssvc.exe Token: SeShutdownPrivilege 4396 chrome.exe Token: SeCreatePagefilePrivilege 4396 chrome.exe Token: SeBackupPrivilege 5264 wbengine.exe Token: SeRestorePrivilege 5264 wbengine.exe Token: SeSecurityPrivilege 5264 wbengine.exe Token: 33 5388 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5388 SearchIndexer.exe Token: SeShutdownPrivilege 4396 chrome.exe Token: SeCreatePagefilePrivilege 4396 chrome.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5388 SearchIndexer.exe Token: SeShutdownPrivilege 4396 chrome.exe Token: SeCreatePagefilePrivilege 4396 chrome.exe Token: SeShutdownPrivilege 4396 chrome.exe Token: SeCreatePagefilePrivilege 4396 chrome.exe Token: SeShutdownPrivilege 4396 chrome.exe Token: SeCreatePagefilePrivilege 4396 chrome.exe Token: SeShutdownPrivilege 4396 chrome.exe Token: SeCreatePagefilePrivilege 4396 chrome.exe Token: SeShutdownPrivilege 4396 chrome.exe Token: SeCreatePagefilePrivilege 4396 chrome.exe Token: SeShutdownPrivilege 4396 chrome.exe Token: SeCreatePagefilePrivilege 4396 chrome.exe Token: SeShutdownPrivilege 4396 chrome.exe Token: SeCreatePagefilePrivilege 4396 chrome.exe Token: SeShutdownPrivilege 4396 chrome.exe Token: SeCreatePagefilePrivilege 4396 chrome.exe Token: SeShutdownPrivilege 4396 chrome.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4396 chrome.exe 4396 chrome.exe 4396 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2760 wrote to memory of 1008 2760 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 88 PID 2760 wrote to memory of 1008 2760 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 88 PID 2760 wrote to memory of 4396 2760 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 91 PID 2760 wrote to memory of 4396 2760 2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe 91 PID 4396 wrote to memory of 5044 4396 chrome.exe 92 PID 4396 wrote to memory of 5044 4396 chrome.exe 92 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 3432 4396 chrome.exe 99 PID 4396 wrote to memory of 2304 4396 chrome.exe 100 PID 4396 wrote to memory of 2304 4396 chrome.exe 100 PID 4396 wrote to memory of 1344 4396 chrome.exe 101 PID 4396 wrote to memory of 1344 4396 chrome.exe 101 PID 4396 wrote to memory of 1344 4396 chrome.exe 101 PID 4396 wrote to memory of 1344 4396 chrome.exe 101 PID 4396 wrote to memory of 1344 4396 chrome.exe 101 PID 4396 wrote to memory of 1344 4396 chrome.exe 101 PID 4396 wrote to memory of 1344 4396 chrome.exe 101 PID 4396 wrote to memory of 1344 4396 chrome.exe 101 PID 4396 wrote to memory of 1344 4396 chrome.exe 101 PID 4396 wrote to memory of 1344 4396 chrome.exe 101 PID 4396 wrote to memory of 1344 4396 chrome.exe 101 PID 4396 wrote to memory of 1344 4396 chrome.exe 101 PID 4396 wrote to memory of 1344 4396 chrome.exe 101 PID 4396 wrote to memory of 1344 4396 chrome.exe 101 PID 4396 wrote to memory of 1344 4396 chrome.exe 101 PID 4396 wrote to memory of 1344 4396 chrome.exe 101 PID 4396 wrote to memory of 1344 4396 chrome.exe 101 PID 4396 wrote to memory of 1344 4396 chrome.exe 101 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2aed1d4b2925d3720d19fb2e65e7586f_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc7ea79758,0x7ffc7ea79768,0x7ffc7ea797783⤵PID:5044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1884,i,13275446734328340057,14714819504637923081,131072 /prefetch:23⤵PID:3432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1884,i,13275446734328340057,14714819504637923081,131072 /prefetch:83⤵PID:2304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 --field-trial-handle=1884,i,13275446734328340057,14714819504637923081,131072 /prefetch:83⤵PID:1344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1884,i,13275446734328340057,14714819504637923081,131072 /prefetch:13⤵PID:2140
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1884,i,13275446734328340057,14714819504637923081,131072 /prefetch:13⤵PID:2924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4116 --field-trial-handle=1884,i,13275446734328340057,14714819504637923081,131072 /prefetch:13⤵PID:1924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5072 --field-trial-handle=1884,i,13275446734328340057,14714819504637923081,131072 /prefetch:83⤵PID:4636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1884,i,13275446734328340057,14714819504637923081,131072 /prefetch:83⤵PID:1380
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:6136 -
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x1403b7688,0x1403b7698,0x1403b76a84⤵
- Executes dropped EXE
PID:5644
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
PID:5888 -
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x29c,0x2a0,0x2a4,0x298,0x2a8,0x1403b7688,0x1403b7698,0x1403b76a85⤵
- Executes dropped EXE
PID:6012
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4032 --field-trial-handle=1884,i,13275446734328340057,14714819504637923081,131072 /prefetch:83⤵PID:5184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 --field-trial-handle=1884,i,13275446734328340057,14714819504637923081,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3152
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:3628
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1484
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3868
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4792
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1476
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2956
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:412
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1032
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4876
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1368
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2728
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3152
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3108
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:464
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1156
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1864
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3496
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3136
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5164
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5264
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5320
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5388 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5980
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:4820
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5bf02f59538c206995cf3a9d657a1f7fe
SHA1111422b5c45d9c29726316d450cfe21234f5bef5
SHA25670aebda56328a847a84ce47a5fd2161824d709eabf1bc86b9c88f005246ff452
SHA512e3431d1c64e71044602d30bc4dce2f0003e0f2d185cbd3b381089d3e26284e6378230e57acbb8a074714c5c4f5da27d8b7eb1c1f1b13e9f187797034829e3b3c
-
Filesize
781KB
MD57b410c1791ab6d450bc1144a69c8cb11
SHA11801c31e89e0cd7b0ef36d57eb10e051ded54a1b
SHA2560b7b2a10771e5388497f98f99bea4b0e6e1f48a12c86ebb56c7d076d7d583d2a
SHA512fd1a23e937688cd0fa55f7f25c59a167e1cf0b724861e8bac91fff28e25071853d3d2832f88e87b118ef6f9eb0f44638ce9d61f992273c81756558e019fc85a2
-
Filesize
1.1MB
MD5f137a132bf774d7081da18d9ecc36be1
SHA1fcc3d27a484ff19285dfd4031cdfd44e94dcbf46
SHA256ea40943454b9b99ad454dda1bdb628ed451a4e143904d8e2a77d2c0557208272
SHA5120ee52a6b99f4f84a81ac1d4d6bad97bc2442636942ecd3330098fae747da6c1f1bc6d95396d8ef3d86eec28175dfc8c1c0beca3b6612a97efce318944ec4fe8d
-
Filesize
1.5MB
MD5ddafb4449eac815be2acbc56d2945f02
SHA1396c1525c275098e95241ad8e7c8380006a9bbb5
SHA2566fa0379ff94e902d2654041e1557e7147b63da64fb58601d597514aaaf301681
SHA512a0573fb5b41c7149b4b7f4bdc380993a726fcf4fc6108ca3b1872147e3627c10d58e56f1beee0421b47d8349480825ed837e15ec1d5668bf1d99072ae888997b
-
Filesize
1.2MB
MD5be8a232941dd8069a1a82e19b6e74906
SHA10ee4d09ebc5e0f6dcd6940072dc6dd0818791a70
SHA25606fc68bdd1e736d3a68f7eb74b95cc3a80d1dfa1bf4179b383f3317516e25005
SHA512803b13d538a34535136ff3b3514069b8089ecc097d48f21ba0edb61ae7d24535ccdf7bf61d3a6c8d620eaf02240ceac4e8b08390b0d12bc62c48a3023f0c6ef5
-
Filesize
582KB
MD54d47ec1fcb6e864de4baed0d35be2926
SHA174b210db00f07210ed7baa48a646407da05bf29a
SHA256bdfb0d3ba1ad66208171531a6f8a0fcd197b1c50cde1cb5616d512c5779a22fe
SHA512943eaabce511ae2f9e9918b70222c947fe0c99c19cb0a096f02662266e6f9e1f73799862b845dddacb5398934281bbed3e132d2de3c28e63333a0c20e8888051
-
Filesize
840KB
MD56d248ea26275727987f091472e9222f6
SHA1416a6788d6eb42d105c5cc30f15a307a5962c89b
SHA25604bf8105a030fbf72de9a2196707b3e3b0acbb7f97072ad1d903905a0a685345
SHA5124249dadc864799d6818cff01b945b22f78a303687fd1c3fd603aac681908254f76fd3dbc47179ecd11e65d4634620a88dcbfa7d7b2a2420f110de36ad54f23fc
-
Filesize
4.6MB
MD5e06d5baa7c730b07e3ba7641f8eeabcb
SHA1ea7c05e6586861dc2fc29d6f6eb7bcecdc8117d6
SHA256cfe4b0b130bc89d4c5f6fffd0cf946bc5298637f59fd19cff65fd423a61d9448
SHA512f0bbc3ab28a8bbeeab93968cfa3c2f44c71f6b4ea6d4f7deba2f2aa08276c09aba5324f42a6cad6431aebd7cffadb8b4ea722486888d9a44519c8383709e7f3c
-
Filesize
910KB
MD52951f77b50c4a7545b31c0851e0360af
SHA15971aad27aead57753fa02b6e01111f15efcb9d4
SHA256bfe5e2d354c29ff4a09a11a0c98db7275bf4458ded296cb8247d5efd6d19150f
SHA512b66077e39affa548f692e8e52ff2d9f1279b9515cede25c105fe3529cc9ee5afcddf2d50b6a8f1eb8a4a922e557b03ca5ee46f747c2bf55a38db3d7f609a06f8
-
Filesize
24.0MB
MD58ced48d5b8b3a859a32dd7af7084018b
SHA11da69f38ef6cd882c1d024ff1def704c5ad0a554
SHA256ed39c49829ad33830c1530cf79ac78e7516931aabfd5e5e8289eea8a5f79db96
SHA5121822a14d55aab13c79689192a9059083cfdbd02300649dcbc910f91ff1bef4b7a30d2155bdab392c5edb540e2844242919e32bd380a89fa8b18aa798d68e07f8
-
Filesize
2.7MB
MD5e31f34c650f49b246f0597284974efcb
SHA16adece790ddf7e6188537406e63cb064d0e3ff0b
SHA256e4f24fc8da98b884f8344bc21937e5ddece3b7aa0f4b9467159ec5c3f3b0a182
SHA512efc5a3f3c1bb13280aefe8e364b2cca35155fb5570b9cc7da15b80239ff6c633b41bc9d4e19b5a56965dafa662c492c8fadcc1820071a2523da56fbd97720c81
-
Filesize
1.1MB
MD5c7d7cad6d221a619f88cfd80f8fdc630
SHA13577e8f8c1535a24eb8bcd273c54c2cf5b601b0e
SHA25614bfd44ec9902360e01c5ff0e4daae0baa2353e011bdf740c5cc8e0bc3924631
SHA512fbcd61556ecf1170aa2b718f0ef4349dbdbb497d3c05177c6357ed12a52b88eb76ed5807d7cdfb14499f505b2758989e2422967a6de51bdcc8772fd5a5f43fc2
-
Filesize
805KB
MD506e932a6c4848a35c7d3e452046e612f
SHA1fb58c179d8e9e903ea672e1a177b5f30d4ecdee2
SHA256797ceacea6bd9e26cbc8fceb041830da876b7eb75d0ac23a59609ef799d48b21
SHA512ab2d65520ed0f3125572f181e40e54d6b52b54403c35b2f3f6a30cc278e08b426033728f6f6488bc29aace4ccd656c798ecf94c24560a5eb94bde7b336341cf4
-
Filesize
656KB
MD5eb28d9edcb4aeec40bef1d9763c66bf4
SHA1090b65a0d558dc43f0c30ccad84e45c23c246d44
SHA2564d3cda59bb9ad7d09eb40b9b830e9b00920b1c2514a879db7075ddec7a0b483d
SHA512a267e36559896e558b69f8eff669e78c9d68f8690122ad0be12590480fdccb7a9d982d58bece4a0fb99805fd2674507ff867e10f4eca388cac0b9ca459751473
-
Filesize
4.8MB
MD5fecf8ca33a1a149d06f329221708e1d9
SHA1dd57c39be2da332986e282e855aa744a771d8344
SHA2564b2af33a6fa4bea1deb15276edb05ab4d785f7db43627f5a6ce8437029821547
SHA512e1b1c5fba22d517efba9c0cd452d92d48624d5e033e4fc9aa0bdd233081e6bb0b7ae13e970ea4ced8073d56a4bd7109f4f4bdd58d2cd944bcc68de6f5462fda7
-
Filesize
2.1MB
MD534096eb0e64ea4f5edd031951b17b441
SHA1b009af569e2dd8594977b757cb42233858122e5b
SHA256afd9aabc804025cced0c878daf0a0ca1c9e03d1257671651ac00bc5639fe64b7
SHA5128f8553f84c4c84b9c10584652fda9077de62a707db2e67986193db9ab74bc2b3439db5e2988f60a1a52f06500ecab931666df25c9c3be2b74540a2e100ae3b07
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD50882603d276bcc9fedbac841fa4be25e
SHA1b3067893d8d8901c1c024c1de42e6b34346ec34f
SHA256089ef70d64daaa01192deee688c3099d0a55a554be8eada32c376b1d4d6f3402
SHA512cb983d6839995b9e884a2073324166e12cce52353fd62bda80f34c84c38682f9c10e79abe26eb4927a9bd0b633feee0c01cd6e45043767796a19855f18bb3e3a
-
Filesize
696KB
MD51e99af0c8424dccb0fd8c938d016e17c
SHA1f6ba21274c5be9be0744a81332ae5e95e0278d79
SHA256dba2adb13dc2bb5e30467da6a5b5799e3bac241e4ebcdbf66b68231f70132836
SHA512b3b74fe63aed818a148f2a0d92b3c16be3fdd9839d7633f43ea1b9deafc243b27c2dc3d47ce2fae765f2ffb7d10864e7d0b8a0f18dd5a007caff132f662edc79
-
Filesize
260KB
MD5867859e35c300bdee454b5db7b9e7c19
SHA12b0f66304a9cfa7183e1d0f9933bbfd6dc59df88
SHA256b9aa4f97df48e09e392b17cbbc6ca9e2f747064c61b0848067358f687e855558
SHA51224ad705dbe9a71d69cde73316c1d788ec028c439f38cc7d8229a550b5a337d96aa0eeb0ad6c2fbfb43508db0f17346f5ccceebbe438e4259571819fc737baf84
-
Filesize
40B
MD51a7cdcf21794595155d9daf1ec65d8da
SHA140352477e8e67dcd08926c4d5904886a59ca052d
SHA256ce57ea98de4e5bc14ef94248254970c775ec2c2e1105acf460333f725b3366f3
SHA5123e1c27fc5dd19282fbaec773dd87077fe1749a450b2ee15bf001548751cc6293025e3454482706126131febb642021ae655350bbe8d43c5cd057b73708241895
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
945B
MD5ee79ae6c9e835801a5501bd5e610c847
SHA14d5e0564e15659f4549d373f7040d7b6ec693119
SHA25645d47b6271cdd05f0d614f4dcbd1776c66b081c6a773e525614958edb331787e
SHA5123f8dc68516a7a375d164cae11047cb69d172ecb9ccd23392c88789a6f71314953355e932003b986da07daf2e21ac947af06c06ea57aae099f4b3268fc5c447e4
-
Filesize
371B
MD543c3990687d580528cfb043be14bd748
SHA15eaa01b5bf359a0ef0d49f73fdef6d373bed4152
SHA25664db00f21565ef5d1342f3db48b9f369e684b6a8ba65ce54839f161c3b09d896
SHA512fce2f3219c842b1d6653bef79e1a732eb34d6eb240d80575677a87300666012e197a01424e44a6a6b9a2c73b25a33bd4a61fcffb018146cb669c19064c4bd691
-
Filesize
5KB
MD521a66a659abec9b7a4d57fdc2a8d5f10
SHA140342d503f80699bb71677f88302e9bf44926bb7
SHA256ba27ce0af5860ed882dda14e5c0a115e5ce940a369b2b53df99eee94c29d51e7
SHA512b98f6e694e631f79896fbb8bfcfd9641ab8d38d92d0d752040faa4e4412b8613b433e8f03192afacf23ccbd6694421fc33173a02cee28e7951421ab19b3ca006
-
Filesize
4KB
MD54848de3603ee16712daeed8bce0ece2b
SHA10f5298c33a753b4300c03dfe184473b9efc3d920
SHA2566e38867c2769c9b3ddd58748a41ce6ed4abe65f06bd1b041e3d035aefa076b2b
SHA512e6c30018b98661915e60b3a85cafb069dd471e0480d9b46c7a71b4a39a0c166a14bc4f7fdb04b8e8ee2f091971d8585fec7cd2987b6938d159868ab2a33a629d
-
Filesize
4KB
MD50757a8f41dc929c0c582c58e88fafac5
SHA158058f7a2aee2d6f2aee19104eb9e2bcb1d4942f
SHA2566195bbbbd9177b1d9d1a38609fb04ecdc29bbdba8d7bfb6eee488f7c2014c539
SHA512d0205faee5449e76b53e75d997fcd48a8466e21955fdc0d14c6e454161ee0965bd9905b82a06b30e75e73a8ef75352df6096863a92fa66e6fc60c9e1dba0bd42
-
Filesize
2KB
MD5f17dd383c8676e8278df4555e1f52807
SHA1c05d24e34597ab70955806f2cc8333fc8268f6b8
SHA2565cce19535dbda5de3a87b5853ef092e281c10b1ac94a8103adeedbebb269de8f
SHA512a6bca5bffcdef4b078f4807da14acf8dbb286fe1d71e591f59c7cdea0eec5ff7f4ed9eda8a55127e1e8e12c990f74b08e243fdff9796b525965a5c6e3328f116
-
Filesize
15KB
MD51599e158eb0fe9d2011e0fa72e8907e4
SHA1e6dfe1237471f059d60ef3343836466a878c4930
SHA25651ec3e4257c163852c89ad0fbe253034fa945fd8919df7f4b921d4d57c1fc648
SHA51289b015b4bfef7867756c77156a879e391927d9e5fca73570afbe355861376313b2d4b3df5a2766ee1e491cb381412f5f4f344e55aaa2c334f3a40d08aab07f15
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
7KB
MD55a017a43a66d341265c9e0de8f51481e
SHA153901564a39e344313e77d6c001ba24ab4721ccd
SHA25662430b52dd145ca934ad03351087e87ce7469d2a6cf6641fa4b686c79491e8f9
SHA51275d427652e16b60cb6d3112a32de8c27160339105cac23c76f2938e8e88e147d133da7458ef241e0fe28a069bbc0d8d72c0356ad0f1db08a1c572ee93781c52a
-
Filesize
8KB
MD55f72c74e7998e8ac3de5afdd87828a20
SHA16f4a889ea07e2d526a3798b94c7313527a4fd4c7
SHA256531f3150828f4dce68f67bb86595ed82515ecd5112152d172f70a97d58f6d4c3
SHA512d6e1adf89a8985a5bc57495efca0e5e291c1f2559bd86399a7c1b2b1fa933882e07fc43120b1ae05923dab2a24a98fa7cb548f8f97ed37a069a42f59fd27c245
-
Filesize
12KB
MD5292e315b3f2478623b9666a9f2080a9d
SHA1122ca3a86b079d59db00ad767a0bfe61031af9b8
SHA25646bf10d29d5c42d24e4847d78328ee334f86e333a37eccc57daa328118924f52
SHA5126a6908ab9115e1edda6414c1d89fb004241f5f70db8aba17a1a12cc2dc6c5b92ea323827faea71aa82666e7789389675abf3acf1604c35c91bc64ba2109fcba2
-
Filesize
588KB
MD5ce335637db19c705a8c361f906954dfe
SHA12ec388ef24609d254a10ea1ddcc36d923c4c4c3c
SHA25614de92698ad9507d27274361b8fdf5b9ec8d2456e59213adbbc0592d13dfd046
SHA51243d031ffcc2033a1b84b4d2359cb19b985d5546fd0017c9fd9b714fcb9e36e917b6a421f5916616fa3d53e2d774c8c72b571053e3e0db43f579427fc9252e6e0
-
Filesize
1.7MB
MD5bea7972b0ba5dd82c47c8ca5de35c6be
SHA12d32fa462ba6879522f5cfe8985d738fa4f0f337
SHA2562b7db2e76ac3c4bf4fe36853bf3d012949fd66861d03e814925f58f08a1aa032
SHA512454bb2be2a477e7f565ccd43950001674d5744606e35218c14ccde1f3f47fdc1186de435330a7cd6093c980b540bca1c41c35a18cc76c3196c397695f363f415
-
Filesize
659KB
MD51add3c151df3ea531915a97de118aa58
SHA12a37ff81542d66e92c21e3e7ccf242fe216c37f5
SHA25656251d046ae1c848f01d14b9dd8f2b591b23f4440026e5e0bf84be2080f41db5
SHA5121773f387871049422c1d5348d7e49874caa2054a8d8c5436a4c9f81b52006aef0678f87200fa66a7f63d6119b57d4ada79fe40348f80a6f0f7f036a7d50831e3
-
Filesize
1.2MB
MD5e30e164dafdcfd27899cc87da677abd3
SHA163ffe6f009fe3944a02dad7e8b9fc6a53c6c70ea
SHA256ec8399d9330212dcea4f7b1f277ae81223f462f7590eb12b2414e8d63fc3ef4f
SHA512be14bbf3c32ea8e6027a9250e2652009968cbf5cf8f53620cf412ffbee040ead014c0ab469c4c4ad4c5ce7a9fd687d53cf644fd40d5316c2ca4c63bf1a664ddc
-
Filesize
578KB
MD5e80139af7d7afe3772378debcfba867d
SHA18fda9f74bfd45ba95068e69fbea3436406830b90
SHA256cfa706dd7d805dc68c39ecd6e928b349cbc47a9f9ce070e8c562293200d3d0d3
SHA512529a0cfac5d2ee663652815f047c193a25bd763a7ac5ee6a412352a062572d5d61559dc78f9c393ef14c360fdf8f944643645048fd0df3c6065df191660f631b
-
Filesize
940KB
MD5c46b15c56ccae20439e7758c11f27a19
SHA12bcc1581f2d271514c363b4c8ac2a7877d72f5c0
SHA2564079a5ae3536d6e36ee181a18cac4d2b4301acff1ed38287957139b31be8942f
SHA5129ddada8029dbb4f7b14498967c2ffec4d57b5d52441c63bdb7046c8affe7f75a463edf2ea6e6bb3ae537a7f283f7ab5f7f78d26be87b12de1938f8b1c0ba0862
-
Filesize
671KB
MD55dbc4f8db762f1673574c4de4a022efd
SHA1694928017589bb9b41b8550978a4faca40c21395
SHA256e1072419d53c9934d83f4d6bb32f992c8007727727166a8208bf0220e46875e4
SHA51236926772fd0c1e4298121f26ea28f124efdc875675b282ce6d1da080104074574fb3f8e484695c885b36794737e34ae72605963ace0b9c51886f47e860e1f6f0
-
Filesize
1.4MB
MD562329397eed051df5b09c57b5ce6d9cb
SHA1e6e5884a2fc0033f3f394c928b6e68da45b1a99c
SHA2560b401207bb58bb623826f455c3670dc2864058587c01d5be618a7f9702c0c2d8
SHA5123db221fd7ec90d74542470d3a8139ba8eb0bf6990b34ab0bdf05eb829bb39e39b4e0034e20307262a8b82634653c92ea6722fe86e3d654d055a37d6f3c9d5e0b
-
Filesize
1.8MB
MD59737947e522c3ac7cb7c27decf9693a7
SHA1ad5d859e0ec3cebeffd2ea5868457220220414e8
SHA256c68c583a547635925b2878e8fcee9651d689c64e874e03b5b2e2ce0188b4e9ec
SHA5128c41fd85a31e795e2b725cbfe2dcee0b1613564667898a38192272e7bab5fca73933cc66ebee29464565680598ba038234fdb3859f208f2b659ea013147046c1
-
Filesize
1.4MB
MD5ab5343e492abdd7a4a3a1e9e1276c550
SHA1306fea4611a5287cd9786018318a210e7cbd86a5
SHA25666c9651ae3c3992bbb4795cb52d552d3211faf25fee936f3987a003477ac01ba
SHA512aa2d14808a55e6aadbf98805b8e029a3e531744389dff21ce0cf2755ec248da17a239930b0c381608477c50eb4d2047cf6608e8a7d0f508abfc2728835ad6ec0
-
Filesize
885KB
MD5ad296af231473eaaf34982af51bd5cf5
SHA1d29afa56f2856d2cbb5c2f5ae773ccffde7e2e6c
SHA2569ee21968c6a8f2d69f9f416638221aa228e61f90983f46a7399bb6712b53ce75
SHA5129f21bfe6d232715ff6780ef676e98d997db2e9109ee49b111538696450c47c6e5823d11c5f3596cb1a032e3fbe676abff69712cdbe22f0a34eb50a4c7b1a5a4a
-
Filesize
2.0MB
MD5000c1cd8cda5105ab6f164200b9af13d
SHA1daf3959598301dff2c32ebc26567dde0b1514c87
SHA2569ca0aa026df0bc97f1c6f2aeca01dcbaafb8ec01702e4285883de3755b5fe96a
SHA5124e886b64e3f798a890104971189396516c39f4d787810c4f1ee2f6d1ae2f69abdbeb4343ea6c484a33cb004d918dee342bd1948cc7401a012160524728afa6d2
-
Filesize
661KB
MD5d019a687aa60e7df37a04ec7ee4d6f73
SHA10d81fb9ab2dca8853be0bae569cf3ba4b1d9acb3
SHA256572e98ff529639c068b4ec243440f1da406dbe0c6dc0b2446525d82ec5b9aca7
SHA512b72eeb1049481eef3dc5c7f72f077b6052a2a9597d82ad3f233da14cbb68cef6a935376e9efab68b0f31e4ed7ba66b3ef5b75f549b9ce6961ed9312fef93c628
-
Filesize
712KB
MD55d340ff775c0f874d20cf529f0b304a4
SHA1899ee904c68c650b4b9bb9c3d486125b08847ee9
SHA25680a864c6d0114494643bca65c0ff0ca8566465908617233a4ce1e5bdd8a4516e
SHA51212841fbaef361c265ae561282182987cb9160a95343e8844c4fc574756558447f9505224ae0a773af65062a835397a14641b5f963be75ab99ef8b92514ee3a6d
-
Filesize
584KB
MD5d02679d2db783bf25085672c28c178e5
SHA193adcd7943e6e977d4bbaedfcc902008e3fa5eee
SHA2566a73ea895fe041772f50a63643aeb61278e87a87511469b55efcb88b37161b92
SHA5129a23754f6e30192d2d0b8b4f0338f4bae4036aaca9742273952fc084da2e5b0639dc25e03f09c80874968a0e9fe00a633d0a1ef4630b4d1e6cd656e3a8f0e909
-
Filesize
1.3MB
MD57aab7dfe25a11b3c9ec6d0e602f3def4
SHA15e4a790693655b33994933840ab685f7a82f7963
SHA256306aef330b6438a1b1de204c1b94efcfdca23ae17ee1273421a55b74ad51a2c9
SHA5120e8a1f05a27d763adf12955567e13ac685e527c42e6547a02e36a6f7f7e995af3d8ea80eb9d80458af5e8ff3113def4791eef13f04a666242db28acfc5e86463
-
Filesize
772KB
MD517fbdc2162df86ad64d871c662b9a9c3
SHA17439c9de5280527ee8804d540c97c6b742ffa1fd
SHA25628ca3fd87b00e21f855141d6c209e9e8e5bf01823123fb5caa1a8af07f4faead
SHA51245f08b0a4633bd5835d59b827f9192655344736c8fa8a0253159a0cf822872e595595f7462bc94097b1243ef03586c574f729c65bfdae9c9395860da55362160
-
Filesize
2.1MB
MD5c7df4a454249330e72b0b33ca44ab076
SHA104c13cbd6fd9776774dcaedb04095e48720104e0
SHA256f0a606fafa3c734f76ced849c22637e0d61c0e7721f6e91d923c7524b9b30ee5
SHA512ff107389580b466e8acfacdf783456c998f7afe3588d9de2da8564373477da70fa98bf73c54b38c9359a5bba87deb85c7e236b5746c035fdaabbf2f4c732654b
-
Filesize
40B
MD593639f5ec6435bab142797333d625b68
SHA1f1e8d9462ccde482a58fcdf0825ad2f234d84168
SHA256003bb916b42cd772096ff0306a9ae0c724b6d41fd3a7f1f30508e651973068be
SHA512e7ff808ada00309e48c2b5921ee0d0ce5a1c608889c34352e831633a9913879a236ef20a640949a470c652f96b8ab4a9765c45cd14fbb9da346e4c3af68748b3
-
Filesize
1.3MB
MD50dd4a9ecc54b3e0635a12a4fb3e05bc4
SHA1c32932e40f134a36f75e7dceb340a74375dde5ea
SHA256e985a875b1b8571bfeddcd38b639fb9cdb15b874c48837898331e05d0bed0a2c
SHA512b44e9862a346257685e108ac8a2d95c8f9b330efc28beb1fb342296da18f2be78d05b494a30cf800211e6623061b48823a95614c708246348a9021b774977119
-
Filesize
877KB
MD5f91d3ea66a17ebfbe3c554f0922744a6
SHA1ff19dee06a88a5522cc3dc75aabdcbc0335befa1
SHA256611a35dac4c0c7e9537fb245666e8ebc7f41187d97078eca4de8e96fe766ae00
SHA51299fc5854cd463805fcdb106f8cd06687b737a1268609c14f4b660a97dc99fff4d031898ea05055389820c6e4a997cefea268430a653eef7213b03ec3071366c0
-
Filesize
635KB
MD5fd1dd1c2e1750e7901a80677c5770648
SHA1982d0951cd7721eed6654283711f3ba159e9c678
SHA256ba6ab9b4f84d30a6b20b61dae79916e9340088abce344f534cbda1f764b7665e
SHA5120694381f1e19121f591afe35d5f26f24a869e8a943f5abbafda0aa25d37e37c132bc1bd60f383977564fd793d938e81851f463a8df7f57749578f92ff78a6794
-
Filesize
5.6MB
MD5b68c493ec2f37bec5a203e21619f880f
SHA127ed7890f687ee651497f0d79394a52cde85c54f
SHA256d02ffc67c5512fbd330bb420a58bd92d46b8c75d53298961b33e882582a846c8
SHA5121e2f9df2347d3f054f3a71877cef6c6bfa6a674b8e3e7b6aa0c69a778beeb02df1bbaf1ef8fe91810716f80bb143fac8b8f06275348d60263f109f7ca34dabb1