Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 23:32
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe
-
Size
4.6MB
-
MD5
794e9916daa5049668c601d7ee808a33
-
SHA1
862e755c3497e3b923af5510f9bdaabc96204741
-
SHA256
da5a993c30ab19e71939ee0d7ec9a9c2510ba8d4f02230fe754670b65d887e1e
-
SHA512
4e64a4da59965aafdf772c8b8f8a19205b77d2ab84e3dd74d971f406876b8a8448f1a472c56dee5f037582018959e45cbf9f874cb93b84766c01ec133c66eb1c
-
SSDEEP
49152:j6xt7epvKbqZDMX1ABvAao5h+GjsY3ttrGJzRIq4RBTkV2XNuBDGuMrkOwbFE1dk:E5sY3nGJzR8NfuBgmv5
Malware Config
Signatures
-
Executes dropped EXE 21 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 4348 alg.exe 3092 DiagnosticsHub.StandardCollector.Service.exe 1480 fxssvc.exe 3476 elevation_service.exe 896 maintenanceservice.exe 1672 msdtc.exe 3888 OSE.EXE 4052 PerceptionSimulationService.exe 3536 perfhost.exe 2380 locator.exe 4808 SensorDataService.exe 2208 snmptrap.exe 1884 spectrum.exe 4412 ssh-agent.exe 5232 TieringEngineService.exe 5404 AgentService.exe 5512 vds.exe 5636 vssvc.exe 5812 wbengine.exe 5928 WmiApSrv.exe 6088 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
alg.exe2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\4ffea5862a644d7f.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exealg.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_124281\java.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exemsdtc.exealg.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exechrome.exefxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca2aeee84389da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000067d9fe84389da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b3553e84389da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b4728e84389da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000633fe2e84389da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133570063515273110" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
chrome.exe2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exechrome.exepid process 228 chrome.exe 228 chrome.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2868 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 116 chrome.exe 116 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 652 652 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid process 228 chrome.exe 228 chrome.exe 228 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exechrome.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 2440 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe Token: SeShutdownPrivilege 228 chrome.exe Token: SeCreatePagefilePrivilege 228 chrome.exe Token: SeAuditPrivilege 1480 fxssvc.exe Token: SeShutdownPrivilege 228 chrome.exe Token: SeCreatePagefilePrivilege 228 chrome.exe Token: SeShutdownPrivilege 228 chrome.exe Token: SeCreatePagefilePrivilege 228 chrome.exe Token: SeShutdownPrivilege 228 chrome.exe Token: SeCreatePagefilePrivilege 228 chrome.exe Token: SeShutdownPrivilege 228 chrome.exe Token: SeCreatePagefilePrivilege 228 chrome.exe Token: SeShutdownPrivilege 228 chrome.exe Token: SeCreatePagefilePrivilege 228 chrome.exe Token: SeShutdownPrivilege 228 chrome.exe Token: SeCreatePagefilePrivilege 228 chrome.exe Token: SeShutdownPrivilege 228 chrome.exe Token: SeCreatePagefilePrivilege 228 chrome.exe Token: SeShutdownPrivilege 228 chrome.exe Token: SeCreatePagefilePrivilege 228 chrome.exe Token: SeShutdownPrivilege 228 chrome.exe Token: SeCreatePagefilePrivilege 228 chrome.exe Token: SeRestorePrivilege 5232 TieringEngineService.exe Token: SeManageVolumePrivilege 5232 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5404 AgentService.exe Token: SeShutdownPrivilege 228 chrome.exe Token: SeCreatePagefilePrivilege 228 chrome.exe Token: SeShutdownPrivilege 228 chrome.exe Token: SeCreatePagefilePrivilege 228 chrome.exe Token: SeBackupPrivilege 5636 vssvc.exe Token: SeRestorePrivilege 5636 vssvc.exe Token: SeAuditPrivilege 5636 vssvc.exe Token: SeBackupPrivilege 5812 wbengine.exe Token: SeRestorePrivilege 5812 wbengine.exe Token: SeSecurityPrivilege 5812 wbengine.exe Token: SeShutdownPrivilege 228 chrome.exe Token: SeCreatePagefilePrivilege 228 chrome.exe Token: SeShutdownPrivilege 228 chrome.exe Token: SeCreatePagefilePrivilege 228 chrome.exe Token: 33 6088 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 6088 SearchIndexer.exe Token: SeShutdownPrivilege 228 chrome.exe Token: SeCreatePagefilePrivilege 228 chrome.exe Token: SeTakeOwnershipPrivilege 6088 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6088 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6088 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6088 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6088 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6088 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6088 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6088 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6088 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6088 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6088 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6088 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6088 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6088 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6088 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6088 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6088 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6088 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6088 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6088 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6088 SearchIndexer.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
chrome.exepid process 228 chrome.exe 228 chrome.exe 228 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exechrome.exedescription pid process target process PID 2440 wrote to memory of 2868 2440 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe PID 2440 wrote to memory of 2868 2440 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe PID 2440 wrote to memory of 228 2440 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe chrome.exe PID 2440 wrote to memory of 228 2440 2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe chrome.exe PID 228 wrote to memory of 224 228 chrome.exe chrome.exe PID 228 wrote to memory of 224 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4644 228 chrome.exe chrome.exe PID 228 wrote to memory of 4560 228 chrome.exe chrome.exe PID 228 wrote to memory of 4560 228 chrome.exe chrome.exe PID 228 wrote to memory of 4760 228 chrome.exe chrome.exe PID 228 wrote to memory of 4760 228 chrome.exe chrome.exe PID 228 wrote to memory of 4760 228 chrome.exe chrome.exe PID 228 wrote to memory of 4760 228 chrome.exe chrome.exe PID 228 wrote to memory of 4760 228 chrome.exe chrome.exe PID 228 wrote to memory of 4760 228 chrome.exe chrome.exe PID 228 wrote to memory of 4760 228 chrome.exe chrome.exe PID 228 wrote to memory of 4760 228 chrome.exe chrome.exe PID 228 wrote to memory of 4760 228 chrome.exe chrome.exe PID 228 wrote to memory of 4760 228 chrome.exe chrome.exe PID 228 wrote to memory of 4760 228 chrome.exe chrome.exe PID 228 wrote to memory of 4760 228 chrome.exe chrome.exe PID 228 wrote to memory of 4760 228 chrome.exe chrome.exe PID 228 wrote to memory of 4760 228 chrome.exe chrome.exe PID 228 wrote to memory of 4760 228 chrome.exe chrome.exe PID 228 wrote to memory of 4760 228 chrome.exe chrome.exe PID 228 wrote to memory of 4760 228 chrome.exe chrome.exe PID 228 wrote to memory of 4760 228 chrome.exe chrome.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=122.0.6261.129 --initial-client-data=0x2d0,0x2d4,0x2e0,0x2dc,0x2e4,0x1403827e8,0x1403827f4,0x1403828002⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde7e49758,0x7ffde7e49768,0x7ffde7e497783⤵PID:224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:23⤵PID:4644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:83⤵PID:4560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:83⤵PID:4760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:13⤵PID:4260
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:13⤵PID:2980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4572 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:13⤵PID:1724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:83⤵PID:1620
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:83⤵PID:4068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5200 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:83⤵PID:4420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:83⤵PID:4492
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:3496
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff692c27688,0x7ff692c27698,0x7ff692c276a84⤵PID:5052
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵PID:4216
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff692c27688,0x7ff692c27698,0x7ff692c276a85⤵PID:1420
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:83⤵PID:3708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:116
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4348
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3092
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3988
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2208
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3476
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:896
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1672
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3888
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4052
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3536
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2380
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4808
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2208
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1884
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4412
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2520
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5232
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5404
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5512
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5636
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5812
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5928
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6088 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5840
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5960
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5dbc83e0c09dc2219868615145b318aa5
SHA1d70edf2777bb3ae04f97e2cd5a7f87f8591d2720
SHA2569835105a059d0de674c9009fc5fbfa1bab3144d25ac951280a49a8a3d202e18a
SHA512855535ca3ed7d57a9aa44d27ec675cac75f66fd375f29b77ae9ae910357c6d0eae6997fe95397ed2336c42ff3863019f6dcf3f3f49794ac41ea5a7cdfb90d21c
-
Filesize
1.4MB
MD5ef3af397d8a9e160739e42062f1a4516
SHA127accab279dc7f091d24e41949548ff8e1a3d7ea
SHA25655008034c29d5d2b4fe6171a207a020b17243b75800c4aee41a3e35d0c57ac58
SHA5125143e79653444f9eac57c2f188a8059bbe50983b255f6197337e377fca0522b7ab76287c7a9f309f7f1bc829583558cabb70127c45a51a0c1a0fec7e2482228d
-
Filesize
1.7MB
MD5abda4cdcd5d468ce35aa0adc2581523e
SHA1b19cd19587d1df2d82a25aef4761f18c0d71e3c7
SHA256ddea419e70768ee2ec6ee8fec1bf3ef153898678c3d51ed3ffaafe0f165b9921
SHA512df1f81a8fafb5365c51ee53eeee37200f8cba57287a536738c017f2752cf69ca0097303c583f4c1bb9118b39a8635345cc91ac435d43b00945c8cd4c354c3bf6
-
Filesize
1.5MB
MD5ff88ddb76092519ec05a4c1c13c8c2af
SHA14175f7c444f88fc6535c435f4f8c63e38a48e40a
SHA256f73293604d077f020de6cf3ebd424f3ffa282c26a6e28d78963157b28f6a02d4
SHA5122d16dee3df36a68faaef9ab84bd31b3ca698f10514369b4d561a0dd6ee600d5b88259291417e64275109f5f6f0b2f153937f3749cdd8afee4a43a50ca4f3b215
-
Filesize
1.2MB
MD505c7acfec3b44f3bea95771c22727cdd
SHA15559a7fe640ee5e9f7f18965d42e5113d126f766
SHA25659bd73f051a5fad688f1ed366b8ae390a1a6da9f7dd1c9f18d4179e10474f925
SHA5126d5ddf546f42b9b58698bd7a7d3c8f0f4f4e775a21d3293ce42166666bef716163b8af2e21c09f01cb8f3fd641c136223360e84aae455337b815207b997d845d
-
Filesize
1.2MB
MD590115a70153ed4b7419542d2c8c5a0c9
SHA1dd80f799c3955d2cec931430cd48cbf042f4454b
SHA256da3c686e05eeb5cd12edbccc97b9014e745bbe0dceda34c47b82c8d3f6ff9aa8
SHA512fcadf5cf9c8e6862a7383113be9bc546f44d707f2e32b36b5b7f1da69a2f158892220f699b6c33009b15eeef53794909b0cce3616a048463032785fa5b7f0490
-
Filesize
1.4MB
MD5af47a21eb96bee928a3db11bf0098ba8
SHA1e133ca56186d9e72319415289b33ef312861b87b
SHA25685c607fb573bfe37278d64bc471ff3991af355b27c44ab106139288cf49c58f6
SHA5123c5aefa2783ec642e6fa6ab6b2683d78ccf106173a3436edf682308e5c993884e8336f448bc68950bfa235cca5c3a035c6f46be8a6f39faffc7edd9d0c348d84
-
Filesize
4.6MB
MD5c5362ef629b6c00622bf8d20d44f354e
SHA191535faa27a5d0a1f8893f8bb5393e6dc278143d
SHA2568e33141e77392a1bce08838b860fbfd8af88208ed37f97e5e73ce79d40af2c40
SHA512ba51785d444c079901e6cb7c5026e76e970fabea3adae3c5084fc5f8ededda2b6dcefcd629a20b401cc6f1984ee3ee6bb3b47ae4d3499a255b40271ca094d01c
-
Filesize
1.5MB
MD54969de0764eff35b6c9821fb0dd76bbc
SHA158d6ad48e59220f1de3d2ef54f35ddc30e417548
SHA256aacb40de918f5868b3cc77de5916abae1d82741838a9385dc71834f37f7bf2a3
SHA512d6dfb2d5863d645f1c9bb489ff20924477e443fc531fc6a8a200e4437e314d0857fcddd0d2473e1ced0aae09f847a5efdab5243f59280464921169ddfd52442d
-
Filesize
24.0MB
MD5e3712a427a0851aa67dc6ed470bae1f8
SHA1fb94dbb66d1edde5df7f5aad958285f2a4b7136c
SHA256f520ad408998503014740c5b5701ba7a2c9e0c4046d62f1290fe55dd1c5feff0
SHA512802c6fe7dec43e6f26fcd11c76ddcfdb170c93818766c60928c726851881ed3aa8db3c87c9ccc25dae91a33915918d1d0aa994213094fb167f167143e97ae05e
-
Filesize
2.7MB
MD5fc15185ee90329f17c624965aa9fc3b2
SHA1eb939b524e5b54bbd70883aa1a0a76338c189ff3
SHA2567420b4ba76b224d497e567a59a9dfd6e40012b404c0f464d6d63383397741dfb
SHA5121973174ed3f0a91e8e9f216871e441142b6cd424196434e4987317af0f9806720b832c714c04188fb6abdf53c3e52f6c141dd2fc9e5151155afe0bb196b0a06c
-
Filesize
1.1MB
MD563345e407a27275735f077548ae9998e
SHA11b7c2ec2a3e5dc663239ee88913906c149e93bd6
SHA25624ead244884da2a5fbf092c52e24e94f5fd1e58d206e6c0b579ccf1fd69f9d54
SHA51251c582d39ff5cb551b618f67aacceeac707a589d81b80e005b3688d346571068b482b800400900e5addcb476d6d3028c2d2d39238cda31268dd604acb76cd6b4
-
Filesize
1.4MB
MD542d12d8ad65526cfd270ad04251ef3b0
SHA1c593c1493ff793eb5d4675f6d0cb00777d03ad98
SHA2566019334bf578cb9e5e4c12e8cad83b062301ec3cff4c0f9b10ab1ff581175164
SHA51224d4b35814599ec249de1c696ba147e3f9396706635a2ed13a8a9c923136205de1fb1929e7c4bea1a719758ee5c5702d239a147864164db573f4460d6634e06b
-
Filesize
1.3MB
MD5788d67abac5443986b527b3ee8f846d5
SHA14fdd3adf829f94c4cb6f5689351ab61536c8e7f9
SHA2560d71f772562f611b896a06cfc564a06b2df0b9a1cf7ea4dba733f5bd44429c12
SHA51288f58c40bba23e57ef9dae6abe69591449762de649dd57006d59d90996cd0b0e083ecef8075fe15f188bb89187f2ee01f22205b9ea1e5fa494b0eeca116a14e5
-
Filesize
4.8MB
MD5c6de1d50bca8eb9444fee7472da8bbdc
SHA190f07975433364c82e45b14ac857f3208e8d51e3
SHA25647556bbf3b1a1d857bce9c2e5225b074ba8084785484fe45216d435809093971
SHA5124f265af270b9d3551a384bb749727691ad01ff161cd59c930f46494217e557286a8e8ec19083e93ea915a7970bf1af54e677584f33b88fb5b4af1c39c4c8b755
-
Filesize
2.2MB
MD54dd1322845b1e74fe121e61624576c4c
SHA1e031c1e29eaec68d7a60393bcd980e50a7f19f16
SHA25647480ef982e318a330391b672e2b9e5b9bf885ed2626ca4ee2a4df8ba265cf5f
SHA512593383e29fa121f900b8e345483f585666ba09d087e90d5974f883fb716bfa6b5c213e598a03428e2132fbc820b846335fb6826ec7a474f379d1aa8925db69c1
-
Filesize
2.1MB
MD5a94f117e3fb1bf1ece252fc160d2035a
SHA1a529e42d80de61c29697e7d0b612bea02cdd3c5b
SHA256f96b9fa8918be8325627a0d9b1ba1281dfcf8605ac44047590b1c57646bb8cca
SHA5124c1bf677cdfb928752ef50086a5067eec9820b13386792cacc9f7fc3e60a2ca3c23dc773cc6405927c5f3ceb5acbe536b5c7b9c4cc05664077f1b48633b034fa
-
Filesize
1.8MB
MD5651d995292fa9b0ac2d5039e3a905d28
SHA1c7497f12aa804e92f9748fdcb20395932abc10f9
SHA256b71c9ab589008a43ca48e09ae975b7ddd20a27205f70bb1927ea734eccca9602
SHA512c340e35592560ca0fb5776a069fcfd08c4fa402194df75e2ed4184bd37fb4ad1a42169344c9237699265f365007898abb78c19a61ec37cf65b73b6de4f05be49
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD5b728511624599a53d504afadef95b199
SHA183e7d54da91e09dabc0dfd62cffb5bc22017e08a
SHA25673af2337029f778175acb36a82025a4a39504676e4f29dc2e347a4233aa94a35
SHA5126ae7e7152c792d671beb082dc4bad1ecd39783fc926e823197f28cd55bd9f0fe063e2e8ae09136a75d9fd5fd55ac69a52845dc69897bb2e8f7dcaf5ff111d7dc
-
Filesize
1.3MB
MD5325696c6650a04a3045a6732de5feca7
SHA16ba23cc2395a59e95e20f078e60c90226075027d
SHA256a5ebbbb28fa807ae690e886b9e467f44fc87a43cb5fbb4fe1417514aecbcd429
SHA5125b4584f6f2d72ada6462c077fbb7024eb77166e6d679e4862253a1da480af31dbc757f5366de45d3dda644aa3c55f431ecf2ebab457d3ef91670b30addfb4a25
-
Filesize
40B
MD5b605879e08d2c37a89e0a7cf9cebb008
SHA1547075286a6e5e6a304912cef29adf2a5379458d
SHA2562a7688cdba662e4017878b44e559b7bf4889f2b32ff1c6ed70e020a2738e662a
SHA512f18fb8e2df93b18cb2359c651e1dbbaf73225ff16912cec7dda24ef3e82d921690aa0690ca493375536159d8aa9ab660e45e2abe4cdbeaaa368f6f69bc090fe0
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD5ea97088988e106c4bb602af83b1ff405
SHA189f24c6c308f7440f2ee601924148fa6165f8bfa
SHA25604be5bd32ee0e48fe2da6d02106cf6fa62ae8d299dbfb70eddc5c105ea7b1340
SHA5129653dd1c9f99cd8414811e734eb6805b8f3dcc0b6715ba08f052a5953a95e85133c27629370f1319797f5c4ebc7e4a8eee454a5e75bfd84ee5539fa5547f2616
-
Filesize
371B
MD52737d83a82cf5038772aa0ad5ba159e3
SHA144c6096b8fca5ba11a6d58c494d354e885b2457f
SHA25639ba171ae002ac8441683b5bdc33b3f33251fa6eac88031b6ea1b347c8c90023
SHA512fd1b92705dcbb5166880e2fdb11a6b437029a323d1af77b8a9bb758abc24fa7407c36b8220eda15bb7e5ebb086cb2ba541be3dab608fa1da42fb3b6dffd8c036
-
Filesize
4KB
MD5c9e152f4ea812ff0ee70fb1487e4f8d3
SHA165a1e23a042fb35fb67b754f26424c0f4cbd4f52
SHA2569c12fb7525b5503fb6f29048f599c0d9bd21d3b3314b5338006ec01c2ebcf194
SHA5126d44123f2cefd5ca2c177560882772f3d04d70a8541758b02e90ebccbac9a4ac1643411faded968b68b2bec8e6e0703cbb3b84dd1ae40ed74a5806a3485422d3
-
Filesize
4KB
MD5e866c1f1c23aff0b82bd4c1baf74400c
SHA19747f08b200659b642a066c9a4ddabd4d9047d93
SHA2567812450cc7ecc61f6c35f9d3d689f8306f24500d1809c1378bbcf34740904bd5
SHA51266008e2663962c1edc09199198f08fa36eecc318a8046c558727d28186dd04e50bbf3fc164e2656bafca8b577047cd22cc2c62664d8284091d7992964c437cd4
-
Filesize
5KB
MD52d3ab12528fd84f35c3115a7be174497
SHA138e249ae4970923f4ac6a73eeaea67c437360085
SHA2561f03cfeb90664609ba793ffbec211be5262c3b7f2b180f56539fa4c22e4fcafa
SHA512f7e5bb6859aaf6e2d4e3fbf0a681a27d2709bfcbc587c4fbb675048f492a271ffede0b080d03a150cf7030ea07de88bf92078e583b9f3124fea479d52ca770b8
-
Filesize
2KB
MD5ef3aac392c0d75f931c89cbb67985e0f
SHA1ce61a9a0890645f7551e4188f0dc09b324f56b63
SHA256474bd435e067162d7364e95374e0fc4f6be9ea3202017cdb1eb05a7876f254ec
SHA51222f026e8146699fdd24911bff6f5cfc0ea1cc131bd378e973e8fca5fc479c8eda9764b7a3a1acd9bbcf6f6cfab8763c04fe6c9a56e1b8e9ffd6316ed11c34703
-
Filesize
15KB
MD5e7719b4094a8bc68d5066e8308202121
SHA17973db360a9a9c15dc6bc76ea735394f1c6a6635
SHA25671a1baf3328193f4b4aeec9f8a4a97135a81494b5619307df51a2f97f21a5193
SHA5125a1e5147a118d9a6aa7540b79284a8e501c8ba468918f6d8d0afe1724cbdb0fd6489fd578af1ca62b9dd66d49a5b05125b9029d5ab3a0d50226c1d5caf5d5e3b
-
Filesize
260KB
MD5e12fd91db9ba2d0aadb1d20f203e05b5
SHA184f61e18ce3b5a38579be32c3bc4391d250692d1
SHA2560164264b5250faa31c17e77a4a310cae7e571e32e6210d15d788ed14e2df09a8
SHA512561f38d0e8c2459ebea9f4f6184007a994ccd3d90ff9867bbaeef379ef42ede2302e6d78cb46e4fd6a0e770600df7f9fb8cb3d39e42a369b8aaf5918205b0bec
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
7KB
MD59a6e2c685a142ef53639bedacafd0797
SHA124be0856246d03dbbc328ff9d71681f0a066d68a
SHA25634b2b095a7a944547d230b4ebf102a22e22cebffe712189da4bbfa968e5d929c
SHA51238a9e968cd481d8b2f8bc7bd830efa8a56368fb8e5a41dacb458ce65c0c650c70d3b2b4e8c37f7446cb6a4284550148cb2446a62352ada567a279bb78bdb7890
-
Filesize
8KB
MD5dfdda1520b2f922d2ee38b65a066b5e5
SHA1e613431382376da0a017ae5324253972705a53e1
SHA256a4bf4a78c5081fd0630ae09c5b9d7747395c39bc076f92c61fbcce18fa2cef11
SHA5128f29922786e303cf9d63811687ad87c77b690085099f714179d6fdf9d4b620811917c968e98c68ac27068cfab38341b57ffd6372bb888709dd2858df78f3ad3e
-
Filesize
12KB
MD5a057f12c3dfa4eb694d40e674c4c27c2
SHA14347c64fffd9dc4f148dea7897b026745965bfed
SHA256bdeedde83ea1190015f6a78ead7171d1d28f9167b2c463ba72510a407feb4069
SHA512c90f2fea517acb3f44b5ac8b3242b9183950e8adb5e0d86be4b7be3a7ccdbea4676223677fe2df0980c784a171ebfb49b843407f678d9b7b8cbb5987a01b08e6
-
Filesize
1.2MB
MD59e25c5192f1d9432d34ca21de20c89c8
SHA10c24c745edbdfaf5b37f116acf59290a2b265cc9
SHA256ecf49cf1d35684ad3d926d6911dd1c40fe64b49aa06b90eee0de89bae20509d2
SHA51289cd81a480b47efa308036b538f8d8df28650e2ec7d5feadc4810ea7562ff98b10c5b2c7033085f067dcdbe92208263047b2bcf2eef302ae8e70910f398388fa
-
Filesize
1.7MB
MD55fd03f897f855dd72ca9ebfd2ee7b0dc
SHA1e310bf354b723ba5c65248c7456ec4b34fe76c18
SHA256202f0bb2794e1f45af04146d4830cded0915dbdfa8963c216a1b68966eb4666e
SHA512a50e8b30ce828f9c684854512ef9ce3639ea001b37071dd186f53030bfe70869bbdfc86a3c751866f4dfaa43c02314391bf1f34627aced40e268d293c630c67c
-
Filesize
1.3MB
MD51e8bda18bc5d0f77de8462a1bdfcf8f5
SHA19eba223cf9fffba81fac549f50b1d3a42df33072
SHA256a21976e212602b227ab10542e23ad4cddb6da2051cf1b58579a2a3e7933a912b
SHA512ff4f354411538653b022a9bae911fdd471bce353884e5590c01d68b5623ed905fd951ccebec0cafd79bb6a8338a5c822b2fadb0cd6d0a4e30bb0fc95e28ac7d7
-
Filesize
1.2MB
MD5577eebf8bac1ffbc212b1fdf9b372190
SHA192a7c7a54e1199d7d6df2d0899e26ef998fc5362
SHA256750b3f67d570d413839277bf760adb7d28baaafcb96752fb71d2db8f959b09d7
SHA512fcf32c6ace083d0a10a4d4d1675c63234d602ce491c1ee707996ccaf0b0060335fbd46598aaa98d0c8b81b401f0675da9aea197c8352446c5b922701f5e7baa9
-
Filesize
1.2MB
MD5a6136b8aac5bf24ec660c931be9f828e
SHA1acda44b46536ce01db61b87270e2bc995a2009b7
SHA2562c147b928b48fccc66ed22b748fe35146ca4b484b334bbb500c2124f45dd8770
SHA512b86b328272e24511dfe3445f50f9ef1dd470cfd163a2a8c279bede0bae613c31bbecc0e5b9f8756d425bf04843d5790d4124fe55c69cde9a106dce247387472d
-
Filesize
1.5MB
MD5675cf2973f751e6e5441f7eab6872d49
SHA11fa170065ec826695ffce91d487a5467e2c3a5d0
SHA2564d627264ae1518a1af89cf234e0eba472c604448f7445cdd953863fe5a509e80
SHA512b300665802047ce6dda749e5f34af9901df465c0c99bd41b87b438ecafb044a4ba8353c78483d4c6acd769a4cec7bf40b039c9a58afbfd3757fe92852bba28bf
-
Filesize
1.3MB
MD51d546a61711cf9cc9bb1c9b34ec17e4e
SHA1d3eff03c113295492911be95905afc9a4b4d9a46
SHA2565d3fca1426750577870565141924d2f7e999a4ab5b0a6e5e27d020a46625fabd
SHA512537edd044d98816e5b2b0bbdfdf779b430b56d1b7e7caa2c8f950207b765e34fe8105e0f63140fb6abba4ecc616a8f54a69307f19fa7a5a2994dede2b644460e
-
Filesize
1.4MB
MD5d0748d2a4eb2e545f7551b1c3275ad9b
SHA13abce5d99b78b3b0bf76a40685f5bf6075bc343b
SHA256e444009f1798e970c99a0c55c2f50c075b1524980bf5a2df47386c834869938a
SHA512831d83ee1480c2cd7d4e2317612e6a475f48638dc5d4f2d8f3d50e49547578789d774156a7360c2b65b988e4b687c39ffe21789dc838cd9cc7390efc602c6f17
-
Filesize
1.8MB
MD546f0c02c32c58ee239011a4becf86111
SHA190a0c541e5c6f193f27b7ea755b1c4f238113ee6
SHA256a03da6f2cba1d68a93e5b2d9cf042e6d11fdf48dd2565f31828228251b11942f
SHA512ffc93a0b3cfa48a20361220479ffb7fe99f4a7ae7dadcf475501515551ac1cbf2765504fda74f1509aa33507f6575abf4b58c09d5691eeb6cadcae2a8ac56694
-
Filesize
1.4MB
MD5885209da3b7924e5db9d7e27f15c4922
SHA15f8a98889aeaadd0ec58cafff5be8536d15e33fc
SHA256a1eb34bb8f4f118297d723aad352d3a98e9122c9612021ac9d4151e40892e364
SHA512dc17522db54e4a412246336945ae839358393a43dc5867b71fb345741025648f57be97f6e6986b4ba10589b8b5769149a9989513f856c5949db315f1426a407b
-
Filesize
1.5MB
MD56f8e561e36607c6307e7c59790005960
SHA1c0172d31b05a926982452b47a46ba44e94df96b6
SHA256218bc5104ef8b63a3abe2fe474f3054f10caf89342a9b5d908f6cb4063586bae
SHA5124a2a24737e118c6e3df8c407bf76f4b1b6bcdd0902e329967a2913df1400054a8fc81363a1b9c5213a8b8500c3ac8e88e245db1dd3a0c60c1bf8941f2d4f9695
-
Filesize
2.0MB
MD5d3d696796931dc7a5485ad96fb5bcfe3
SHA1f34ef1e0df6286dce8ce6970080101bb9dd85f4a
SHA256ea6188e900d29210f0394c5705586fad3cc9b6a441ffa86347d4accb5532ee53
SHA5129e01a249c2da82b1b3d8b94e934c305b5c11780607aa53bfc92015982d85dd5bda58138dafbcea3c450e2998025fd577155e4a465db7e602ef5a131115c2d93c
-
Filesize
1.3MB
MD5d9290d674fd905112932e1f283064cb7
SHA18742a81f9ae65bc13efd8860bb71595eaf89a198
SHA2564587b9e0933a702efbf813f7396d191b3997248e8ffc064c1d8a4e60473e1115
SHA512f42291d5ae6bf232cf9900f24bd2d6fd38f0531ee2f94382c273cca2b20dad7512eb2182ff89ac40ac75a2eb2e92b6fc64150a2aa2edcbf61c9a0bd23eb8b400
-
Filesize
1.3MB
MD540ae17f569d1c71b89710e3f7b737297
SHA171d594ec9892800d18bef5634e968bc8ceed11ab
SHA256bfcb63dd8fbcc51a4c692a0572b79d4741cc31a172a21ad82bbd88f6bcbb36a0
SHA512097b8f65abbf633212d453afc32c11c12317f0ce9d98bbb37a75426488a22bd7302e9095e1e2444e9614f2391ca270064f502ae31e36290a1213200c6cb2ed7c
-
Filesize
1.2MB
MD53ca420a828ef5acfe6dca28c11af23ec
SHA1ae66e2eec5b60d10de54e4b866e77dd2dc342cab
SHA2562539250ae20dd295182fa09f0a777b4e4a3483b391231b9e8a3952a178e5c342
SHA5122a3ce65b884cafa53a5d20dc42036341528b3b21141e7707eac2e6d832e91f083c65fc0c7ab7b43f5997ca574fee2e76d3631f52a8ac2d870c3bc67a6d1cbb6c
-
Filesize
1.3MB
MD51567f0443b8d5f6d65e3477fdcffac41
SHA199de43a0936be61f4de5d6468bc8e8915463df1c
SHA2569d80c3bb7cd792e5b06281ce1d6a57e7c3342a9a4226cb163991ca1704e715e0
SHA51245dc41d06f04203b69ac1923426686935a97f5d45392ab44be1806ee3c79e4fdbfef6f985cebddfa6843f948f18f7e2c6afaa590020a0b7a5731e08dd33e2593
-
Filesize
1.4MB
MD51a949116a7d0600a631224eb475f6d93
SHA1f5ebb95ec24a86201bd60bda552cb7115597b794
SHA2562e20676403f885b324ae039c718773cf71d7e5d97777da786cdb17f2723bbd9b
SHA512c94d78e0af8fe31148240365d5a14c829cbc9ff00b0516228aadcc0e2481519ace7a888d5664b8ce405722936c0fd434850fdb4cfd1651932c1cc348f84d92dd
-
Filesize
2.1MB
MD51c3f4fced755f1f3358963a8a5ff12ee
SHA141daafcd0be6f39d4b1358517a700e2b6a0ee966
SHA2564f1c0c041470811fbd8792f56753ede673fde8e60f85bea113262af42be3a29b
SHA5121c800a85d5df15d493304e83be329517e2588c920a503d0d4774a5d27a8040c3217fae5ea3784e58021ada8f140c35f080c22ee1c2e9bc4f2e3ccc25a2986cb3
-
Filesize
40B
MD57806f070ee1bf48d945790a0c2a61355
SHA1cd3804e5db65628f5a3c0a8accbcb6d10544280c
SHA2566520df12afb6e96315f15e8777e8deeb8b25d5ac72136065c7d5accda00cd895
SHA512c1c368d258f84828a08885a6c25894d96da5f1bdb66ae2828bf764213827289c4df027188338fede003a59c8bcdf64ab3eaceb0d20e62c8ec8620c921901c7bc
-
Filesize
1.3MB
MD516f6f91b7d49355fc7593f04363cde08
SHA1a5f3808de24407a309aca600129286d41cb974a6
SHA256347e4afdac373dca9b8b2816dc74575ea531c9a999aae1224484a7ec89cc2eaa
SHA51281efbc15461aab430426d1a8831e33fb759c32504636062f315bab44b74d768f9ed48531c84be3ff5894ab985b2f9bdb0fd88b6a7fb6dd759b5f3c8e2c3885d7
-
Filesize
1.5MB
MD5bfa08a606cb34a5237669088cf5fe428
SHA17d9aca5f02812c961be1a66261dbbfb921c17309
SHA256bc280c36eb7ea699c46a11269da3b78bebf8930bdcdf038f921f3484f4221851
SHA51229b14ca0e3cb39f11996fdec8c1e38fafca19b66d6afbd5a372b266ce205bc68f41348dc430d9ba46f1140e2e29a77e9c5839c5082ab8605acefde2e9a3a1a63
-
Filesize
1.2MB
MD56aada40d1a10b2559fa8d47ccfaebc40
SHA10b083ef8351423cf0308fa12481ca80779a94e24
SHA256728f34a15b000fdf0666deee942c2d7f0805b1ff745edd7e93ee5d7cebaefb90
SHA5126e3979544fa87642a16451e92cd9544e155c1b21bb05f05f28c164844cfa2221efceb823150523cabd6dc996e348aa9da0267941407f1720800df9da73a85f36
-
Filesize
5.6MB
MD565852d6c85b571f93f0e4b3fa04b7e28
SHA1854518490c34dbf3040342ec4fb9ade6ee3223ac
SHA256bb023db70e6fb718aa51d6db2bdfdcd3c50c207b8999ce009ce325b6b97b8383
SHA512693468ddd6702dd079001140bedd66d8d520aaab9b6248ecbc88d74e851d88817ef640bb19afbf014927ef04f625905076459880177c6919257c4eea25d2f157
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e