Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 16:39
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe
-
Size
5.5MB
-
MD5
b08e0f568dff4a4c4429e9a023486520
-
SHA1
2c36d669df459d80b5baa54ea721266a9357a7da
-
SHA256
0f43ea770c1f04c5b14224d53b65a1ceedf2ef53a65b88acc3466d767bac015f
-
SHA512
447cd50b928eb23d5d0a6356b442c461cc6d871bb5c82eb9fa3df7ef14d98b0f5bfe94a8556be170713a8d5e467298e2bc8f10e47f8791a4311f4909f6364a3c
-
SSDEEP
49152:OEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGf/:UAI5pAdV9n9tbnR1VgBVmGB2Yyjl
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 4640 alg.exe 3552 DiagnosticsHub.StandardCollector.Service.exe 4240 fxssvc.exe 4212 elevation_service.exe 3736 elevation_service.exe 2760 maintenanceservice.exe 3148 msdtc.exe 3392 OSE.EXE 2412 PerceptionSimulationService.exe 1280 perfhost.exe 3936 locator.exe 8 SensorDataService.exe 4984 snmptrap.exe 1800 spectrum.exe 1080 ssh-agent.exe 5172 TieringEngineService.exe 5412 AgentService.exe 5588 vds.exe 5852 vssvc.exe 5976 wbengine.exe 6116 WmiApSrv.exe 3560 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
alg.exe2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\58421d9b205991d4.bin alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exe2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exedescription ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77375\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77375\java.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exemsdtc.exealg.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exefxssvc.exeSearchIndexer.exeSearchFilterHost.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4af4b370a89da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ad2ce370a89da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c8a25370a89da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a7cb5360a89da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9d652370a89da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000139b76370a89da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe114e370a89da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c2ae5360a89da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
chrome.exe2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exechrome.exepid Process 3828 chrome.exe 3828 chrome.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 408 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 6048 chrome.exe 6048 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 656 656 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid Process 3828 chrome.exe 3828 chrome.exe 3828 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid Process Token: SeTakeOwnershipPrivilege 4792 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe Token: SeAuditPrivilege 4240 fxssvc.exe Token: SeShutdownPrivilege 3828 chrome.exe Token: SeCreatePagefilePrivilege 3828 chrome.exe Token: SeShutdownPrivilege 3828 chrome.exe Token: SeCreatePagefilePrivilege 3828 chrome.exe Token: SeShutdownPrivilege 3828 chrome.exe Token: SeCreatePagefilePrivilege 3828 chrome.exe Token: SeShutdownPrivilege 3828 chrome.exe Token: SeCreatePagefilePrivilege 3828 chrome.exe Token: SeRestorePrivilege 5172 TieringEngineService.exe Token: SeManageVolumePrivilege 5172 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5412 AgentService.exe Token: SeShutdownPrivilege 3828 chrome.exe Token: SeCreatePagefilePrivilege 3828 chrome.exe Token: SeBackupPrivilege 5852 vssvc.exe Token: SeRestorePrivilege 5852 vssvc.exe Token: SeAuditPrivilege 5852 vssvc.exe Token: SeBackupPrivilege 5976 wbengine.exe Token: SeRestorePrivilege 5976 wbengine.exe Token: SeSecurityPrivilege 5976 wbengine.exe Token: SeShutdownPrivilege 3828 chrome.exe Token: SeCreatePagefilePrivilege 3828 chrome.exe Token: SeShutdownPrivilege 3828 chrome.exe Token: SeCreatePagefilePrivilege 3828 chrome.exe Token: 33 3560 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3560 SearchIndexer.exe Token: SeShutdownPrivilege 3828 chrome.exe Token: SeCreatePagefilePrivilege 3828 chrome.exe Token: SeShutdownPrivilege 3828 chrome.exe Token: SeCreatePagefilePrivilege 3828 chrome.exe Token: SeShutdownPrivilege 3828 chrome.exe Token: SeCreatePagefilePrivilege 3828 chrome.exe Token: SeShutdownPrivilege 3828 chrome.exe Token: SeCreatePagefilePrivilege 3828 chrome.exe Token: SeShutdownPrivilege 3828 chrome.exe Token: SeCreatePagefilePrivilege 3828 chrome.exe Token: SeShutdownPrivilege 3828 chrome.exe Token: SeCreatePagefilePrivilege 3828 chrome.exe Token: SeShutdownPrivilege 3828 chrome.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
chrome.exepid Process 3828 chrome.exe 3828 chrome.exe 3828 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exechrome.exedescription pid Process procid_target PID 4792 wrote to memory of 408 4792 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 86 PID 4792 wrote to memory of 408 4792 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 86 PID 4792 wrote to memory of 3828 4792 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 88 PID 4792 wrote to memory of 3828 4792 2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe 88 PID 3828 wrote to memory of 1376 3828 chrome.exe 89 PID 3828 wrote to memory of 1376 3828 chrome.exe 89 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3468 3828 chrome.exe 95 PID 3828 wrote to memory of 3716 3828 chrome.exe 96 PID 3828 wrote to memory of 3716 3828 chrome.exe 96 PID 3828 wrote to memory of 5080 3828 chrome.exe 97 PID 3828 wrote to memory of 5080 3828 chrome.exe 97 PID 3828 wrote to memory of 5080 3828 chrome.exe 97 PID 3828 wrote to memory of 5080 3828 chrome.exe 97 PID 3828 wrote to memory of 5080 3828 chrome.exe 97 PID 3828 wrote to memory of 5080 3828 chrome.exe 97 PID 3828 wrote to memory of 5080 3828 chrome.exe 97 PID 3828 wrote to memory of 5080 3828 chrome.exe 97 PID 3828 wrote to memory of 5080 3828 chrome.exe 97 PID 3828 wrote to memory of 5080 3828 chrome.exe 97 PID 3828 wrote to memory of 5080 3828 chrome.exe 97 PID 3828 wrote to memory of 5080 3828 chrome.exe 97 PID 3828 wrote to memory of 5080 3828 chrome.exe 97 PID 3828 wrote to memory of 5080 3828 chrome.exe 97 PID 3828 wrote to memory of 5080 3828 chrome.exe 97 PID 3828 wrote to memory of 5080 3828 chrome.exe 97 PID 3828 wrote to memory of 5080 3828 chrome.exe 97 PID 3828 wrote to memory of 5080 3828 chrome.exe 97 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_b08e0f568dff4a4c4429e9a023486520_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2e0,0x2dc,0x2e4,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcdf329758,0x7ffcdf329768,0x7ffcdf3297783⤵PID:1376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1892,i,4196166854989429620,764818935068350845,131072 /prefetch:23⤵PID:3468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1892,i,4196166854989429620,764818935068350845,131072 /prefetch:83⤵PID:3716
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1892,i,4196166854989429620,764818935068350845,131072 /prefetch:83⤵PID:5080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2856 --field-trial-handle=1892,i,4196166854989429620,764818935068350845,131072 /prefetch:13⤵PID:888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2864 --field-trial-handle=1892,i,4196166854989429620,764818935068350845,131072 /prefetch:13⤵PID:3480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4520 --field-trial-handle=1892,i,4196166854989429620,764818935068350845,131072 /prefetch:13⤵PID:1000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3744 --field-trial-handle=1892,i,4196166854989429620,764818935068350845,131072 /prefetch:83⤵PID:1884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4764 --field-trial-handle=1892,i,4196166854989429620,764818935068350845,131072 /prefetch:83⤵PID:4020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5100 --field-trial-handle=1892,i,4196166854989429620,764818935068350845,131072 /prefetch:83⤵PID:1116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 --field-trial-handle=1892,i,4196166854989429620,764818935068350845,131072 /prefetch:83⤵PID:664
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:5264
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6d8377688,0x7ff6d8377698,0x7ff6d83776a84⤵PID:5324
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵PID:5392
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6d8377688,0x7ff6d8377698,0x7ff6d83776a85⤵PID:5424
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 --field-trial-handle=1892,i,4196166854989429620,764818935068350845,131072 /prefetch:83⤵PID:5672
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4988 --field-trial-handle=1892,i,4196166854989429620,764818935068350845,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:6048
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4640
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3552
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4080
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4240
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4212
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3736
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2760
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3148
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3392
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2412
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1280
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3936
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:8
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4984
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1800
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2296
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5172
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5412
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5588
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5852
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5976
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:6116
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3560 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5212
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD560831d13733a8df4976ed2bbc2cc1426
SHA115070c0ffd44939112ca25c405cdeac63220305f
SHA256946fb8465e863f9b94e495a4e20e113aec9a7c2e318c028f1894dd1c22b7b1d7
SHA5121e2102d9491894601b107f745076175e5edf719658b4d215adabb797601ede9d8887ea4b370136ef5d385b8483ed0956ec56e7e7533149199b87596a2a426d81
-
Filesize
1.7MB
MD59eeeb03b787bb83dfa3c6a3f26433397
SHA171ee01e3d8d4993536c0f226faf98507410422e2
SHA256319a327f941585512a072d10844e2556a9ad24d7cd161425007e873d5854931d
SHA5126e43b147d822bd7e197af4192db90738e1cbda5376c08d614ae305f00fc8bba72bff1aadc763098c30777cfa3d34a2c28579800c74d8caea2075fbed4c330323
-
Filesize
2.0MB
MD55f0f4d4eb4a4eafa027760df4512b02d
SHA13a96ae2c3b0d6998d3b9e962b367cea122dd45cd
SHA2560f456752645378ddc029de608409e9f055f8c130c27ef392dd63944bceeaa49d
SHA5124a4b83d27cd3debe790d13cc3f3b019b112991fba9c4dc08d876eaa42d5cccb701c6440c2941d3594b74b55481e7876203ad0f1e767c74d3ee1f84634cbc9574
-
Filesize
1.5MB
MD5af4bdf9fd0a4bcd0f72dcb8de4753927
SHA13c2d6975a51647e7359920de55984a52e15ca5f9
SHA25666298beacd1c4c13ed109338b1da18df978c7d7149074ccd369a31f96a08074e
SHA512d589db0894de6b431837f4e52f408799760dac0a60e99dd408874d449eec6826174d28c60b9778c37a5ba01dfde3f62deb9bec8dba77dbd54a333b40287ecaf4
-
Filesize
1.2MB
MD55e8467f8300a12727fd2814b04938ef8
SHA1b15d39df33e6b1b1b1cb32660cec2c5d743f4de6
SHA256b883087182e285bb0ce26011980dfa043700501eb2548ab5567567ca2736d7ed
SHA512fd8250207200cecc6a83f72087c591841d8668fe88378f9a099674b59e9bbc1064fe118ec9ab605e296e962ebbee9237987cebef59e8e573a7c67b2afc692fd9
-
Filesize
1.5MB
MD57d32cbf653c7385c6cd35c40062de537
SHA19cd5408261111dae32adb026d8cd6e681d403c23
SHA256c3dc8ea3a4b715269f14b409e73f0f8793dede4c487980c6e577928ad959e88e
SHA51281c663c45b4b9d10878dce1c9cece4e193f6ba60fb24d74fc2131f224c9606b523411d542689f577efcf7351ef21870c0792614a1ac47bf350c9b835de153404
-
Filesize
1.7MB
MD5f42fcd4d52b0025633e3b6d1bb682d68
SHA18dac7b716b9830e06cd38cba3a8e50cfbc879d11
SHA2562f367187d7d6de6dac313b9f464bab58af2530c3cf2806eb96bd9ba4b8234df8
SHA5122c5e612ff8ac12e9882e3c29cd4c9029e0f453fc482b55f1002983f1ae18aaf22c01e87e79efbb62ee3a8651716d52578fe428c3a6b49038230a5ddfa9ede468
-
Filesize
4.6MB
MD5555d75045ac160b6011d9a77355e2027
SHA171aafb9277fac50c4520178fac0cd54188a5fbdc
SHA2567c1dae18f1df626d329834776f9cb871628346ef36b31e0d7834ffedfceec9e5
SHA51239e168f96a736ac635e571709073fceb659889c9bdbb8b2f5bc00c1bc076e7801dbd0395715e5aa9a25af8b2a96aceb48c8000b442e3769e3fe219ab3ca16c50
-
Filesize
1.8MB
MD5d32ba7950c29ca6b99bf1c9587e62628
SHA136f50d04a21966c9dbc2c0146cb17102b4a0a8df
SHA25643710fec0f5c88a9c750639810b23bf6e7e6e69c1bdba810c97a7a2d4d73090e
SHA5127d1a6240ddab626fdd6ab4d62ca6cf02f24e6e89138f978086a88d44b59c7a21a9062e3f0c50cce10982f57eaa813feb906754d701685c72be042fdaead11464
-
Filesize
24.0MB
MD570375f6111b57611fb30fd24d24b8754
SHA1d7560e77e71a30daa105f518a9e9a22737f1fc2c
SHA2563f340bb53913ca9181f7d7b933237731c9b1f5acdb73d1c5501e57d05a0ac501
SHA512403e774242b78361f91df5cc7f3b34cab4f13c848cc471ea1ba89e7ea610d0f555c16e5a09e4b14f5f6406382e2c3998f6fab6033f8bd8c9923ab6e0e35fd6f3
-
Filesize
2.7MB
MD5b0ad481d66645ed136cac4487e0970e0
SHA15f0bbfedcc5f7d05e6c038f09728a172b3902971
SHA25684316c5f07d1340d7af0b6f862d1ecdc1e917e56edf5deba600a8db6437178d8
SHA512f4652580d5d2096aa634cb159100edc11c51a5059ed49fc0a6e0eac476d361a3aa60c2f1ae909255b5db7cb64fa9573cf52d1c0aa811b846fe1538ccf9008739
-
Filesize
1.1MB
MD539390f98c74cb458fb0a8df74427fbf1
SHA1fb59970dc9b3eaecb38330f7e4335e46eb96b713
SHA256544d28edc8e111bedd6913ce8de6b40b78cbd3403f83b80857f22b1504905af7
SHA512a9f2839f85d256a59dc70176be9db2fb56851669e170c0e47bd75f9a217294386484511fc1695200227ba07eb28754811f118a9d1d9276e84b1a89e6ef50df16
-
Filesize
1.7MB
MD5bdfc2b859403181d74fc7824df2eb8d0
SHA15d242d8799ae7740f821b37e678d2bc8d88d6970
SHA2561b66989b9702e618fedabda07e9f51b0f806c0a106e2619d1ba9aad484d59f4f
SHA5121beaf763b0fa2b97f2381e566784c6ed3e663831dfd3ab989e36bfc97fd600a48abcc1af02c34d66f126c3fa8982c695748d77cc7a2739ebc6c8a1c60388bd83
-
Filesize
1.5MB
MD5b12af62874497c4b7684248ee1a592cf
SHA15b2570936f9ddef8ae678b49220cc77eea0e694c
SHA256a28237afe5095818f345b37ebce8f6a271f9ca34aad1d5412ba91b4f0641f42e
SHA512c5d89d3bbecd8ac16f33331094cf97c2f020beadf6a42bcdeef52ab5dbd40f4fb398897578698d4cae5abffc3137d0482e9e4c170f356e69983f7f1816965cac
-
Filesize
2.2MB
MD58ad184e8e13da54d76de47093bb7c4a1
SHA11653dd61074ab765c2ee73c80f9164ec8f1f394d
SHA25650508117f7b1c0a22391d4f9e67673136222fb5316480e3255fb34e1094d0e23
SHA51297bca752cfc0283bca9391853af663d08a8ad3ecb444365f1935c086ce25825a6feb867a6489b55690616f1f9ff470b7aaeb1453083f007f493b70fcf61f0860
-
Filesize
2.1MB
MD5636e36130476965b5eb4398eb60f0097
SHA148a7f51b046bdb8d38df129488ef74f86ec4ffa2
SHA2566095b64f38812307f6adae7872b16157f4451f6c0c7fde0f05708b7b85507321
SHA5125495986707dd4dd50492b6487597bf3a1b429bbe5e54ad3948621eb4bd1a7b870fe1486f903f91677f6dad614e3730dec8e72a55e2571d499748004843bff1bf
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD535a964f4cb19f836c06505957f822dbb
SHA17dd8a0e09559a58809980c04e0f6cc21ec29b0e9
SHA2566069535ed2f557fcd9549dd0e61156c0424c4b23f549997ffb77a966e6774b23
SHA512cc0679979b98d61d9a8aa7b82a8acfc3fbc199475e6ff472d972eecb280681161704f79eb9ebbc9b9878f7aefa4b1e864092744a56cd68e2092cf8cc79f4201a
-
Filesize
1.6MB
MD5f0f1f2eefdc371b4de129f1bb924b795
SHA182b3b534dbc1dd19455289e4c4211f98a903d67e
SHA25601ea75f58e84f682a97a37b627d2ebbdd81aff0115bfc5e1b206a91306f0d83f
SHA512f3dbb7cd238a21055c0008319ef24f433596aa77c15e45edc5a3a5382bc225aa13eca4080f1fd9e91d9577a18a372950dcdf0dcf89123e5fd1fd4b7fd3abb3d7
-
Filesize
40B
MD5d98a862745da89fffa1a305d578048b9
SHA159c750081af110ad27f4a360bef4ef689b0fa519
SHA2562d1a2162f435610d5e0dd4650a8e71211f1a25d879a94d11fc06c111c69a23ef
SHA512d7885a29a75646721b631f736bab26191a0c79f7b32b1e2c7d1cc79507ba80a598d9bb9e967a10cb522d6f8c65c1a8eddfd96d75ccb0914947c09566c7642dec
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
371B
MD51b0bf27fbdcb3f920bb84cb6fe3ae4ef
SHA140853ae7129d59e964344799a995e4dd6e2783ed
SHA256bf9905bb8175ea374cbbfd9399f48ba5b651a8dc15afda51c14327a7550a2e19
SHA512e6566fe1a7ced0dc50f8bcef82fccdb9fdc679badb2890d8dfceaaa58e094aee0c00bdb24eb1230c4bc1cb282cdb79a746067cf265b1de0809989bb1bab13239
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\ac575053-e5b7-4a05-b3b0-631b76490879.tmp
Filesize1KB
MD5a6140abe0e32372b2cfd34b4fd42de76
SHA15d397a41dacbadbb4df7f64e4d3ccec9f308e24b
SHA256e6fc03fd2a0cfbfe1e13b7d288cdb99177ce643028eedb2c483d6fe7968a5257
SHA5127d2b9b13756536b16743a75d8320daa84d8d1f68402f918ae5738f370f4dfba0fe48d63d4563ae79569bec0d09c5a0ea015c73ac9a369dded8945835ee008cfc
-
Filesize
5KB
MD5274d36d238a3bcb404cb4e81c8e16f87
SHA19791999e279cba61ca24ef3932035f91a7b5b638
SHA256376421208b607de6806b6dde09124333a3fca5325aa84e8356e9777a46577899
SHA51224bf04224cc94cb49004c47ab5ceeb8cf96b4bbc701d802864e8c02894556cdf1a3e6574a230b8bb302f3d027cffa42cebea6cc0c989f054b010513b02b28590
-
Filesize
4KB
MD5d7502dc78aad35f62c3fdc24adcbfacf
SHA16bb1addb0983402e6fd8d406fea635221803c967
SHA256b515224fd4ff3bb867d617c908ba59d9e163a3ccc32eb35afccf3a8cbbaa5f4c
SHA512f5bdba8938b29082be70fcca6a42b08e8228cdf6e25fa22001c8b5ee34081f357efebaf9e4e824f55b1d596056757da4683c80f19f73aa5bc0d8da7c18ac40a7
-
Filesize
4KB
MD508a4232d0b8761306a8b93d2dc1c8824
SHA19219ea1eac0e13f0c6ce4b9b7d60d8359f9cbb81
SHA2566d65d141d4bea28c7199aef64673f2c2cae9c89fbeae6c79911bafe0c4fc7055
SHA512b120d642c7342d9ff94d853ce0b52018d7041adb1c9075f6cc6fb566e18db97e834c3595e3b907e77c658ad727eb1df1a83065eb58e3021d4a6223fc8bc7a043
-
Filesize
2KB
MD529e97ab941f5c82421dd16c25e9a6087
SHA1c2e54372210cd01a8aac728f18e01cad1877e6df
SHA256434f74e38c83f9ef23934cbf9477d3bb9e8f40cf5adaca89b96fe15a283793a4
SHA512de4ebcb46a9bed711439e693231b38961e7958069986bb0f485781dd8ce4ab410612d5d5d9df8c89b534b7b0c5231b3e29aede00dff940e12c76ab2fa78909bd
-
Filesize
15KB
MD5d572808d3f78c411c734efa03fdaa0f5
SHA114bb5f7975af83fb67dd24e2fda30464f4f5c1f0
SHA256c566950899664e21f11059d8ef3521f6b687a2185fe8cb49c26b7894b598b5d9
SHA512a130c1f33988f40347eca2bb28335af20d4f46a49b8ff4558999dfc95a918a09f8374cee24e6fdef43d8bdd2c2980babffb789530172b511b1953003d595ad10
-
Filesize
260KB
MD5dd7f50a3ad435ed34ff31c5190bbf8ea
SHA197831ce71e11b4bdc0fc68a6270618d8d0fb42e2
SHA25659e3dce8984a217789c58f2e6861828c561556b5fb093715728c76eb11a0539c
SHA512085a943a578f023085764b156f34a179dd57fba4cc48aa713175e61d824a65dba109b944308f66ae04f01108902e591217541da526ec8a46f029a62f4d8b6efc
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
7KB
MD5b141b968c66d16955f3f307583275f30
SHA19e9a24db3bd4c911977f8229c71c196f5cb471d1
SHA2560a5b8829118e2c9efe7fb5e3b9214b9f3494a2ba8e6776e32bfadd3c89bd9c98
SHA512168a74b6a1ffed13d031a90b70ae36a20c8632789dd421613584c9ab9d4a26fe2af82b4e6c0afbc35aeddeb25ba893dc2e532ce550bf4fb97d7122df37fbcb53
-
Filesize
8KB
MD58223b9663543291df728bb785a0b1f67
SHA1fa73a74ee10769b2cddad3eb5e13c7a314bd0ce1
SHA256766e9046b831327596cf7d46a428ed142d8ff5b3906704d8bd72ca768968ca3a
SHA5123c0bd45e65ec2fc0ab55b13792a546696b370afe4c21f54b8cd2074219c3fdd1389e673526fd799961edfe57811a77b11620d6a8af28515bf01ec1efaafe824c
-
Filesize
12KB
MD5d56994eac6cfaefe6a040bf63de8e54b
SHA165c65a8d66ab0889cd1f2f4857ea9e646de708a1
SHA256a08986a9115947ec5c02a04c85b3166717518ed3df4aa8dc7739990198052a04
SHA5121ea1fd611086f98f3a39c3c280f7cd7276d06944e8f6e52f454ee9c606947ede1bb54bddf7e7c61019666e30a87a818d1443407488e25287ff572a9ee655e87a
-
Filesize
1.5MB
MD5149be38f867a8c11288633a2618e6be7
SHA158f38e1cbbcbf10fae625f97ec865a1828a65a33
SHA25686c6ebab5bd5aa802fe651a2edb790604abc3cdc03ab561bdf9238f2b8f5ec91
SHA5121689360eebc16373d486e610ee81d065b04a841bd47fae397f6fdb83d1a83ec4593e45dbac4fd00ab12526c4886f86fc439154f09ba5400324ede4f14584c119
-
Filesize
1.7MB
MD58e2682a027080bec38e81550ba21e56e
SHA13dc79eb4e2bd79bca189f79df838a8c8fae3b091
SHA256bc106b5fd03545b5b544d881c39e42ae9e1818b2188690dd87f04e2fb34a4a2b
SHA512abaeadd73e8ddc2de1dcda68b6b6ae60a39f38a743abc7d1c24323866d992a7937c3c0ddeed21133a387cc0634326732b8e577d2dbd9511c511dffeabd250c02
-
Filesize
1.5MB
MD5932d4b693757f9f71d1e0f1cc14ebabe
SHA1653e044600e4b96d754b2116f4823f6a277ccb76
SHA256a2da85493ad32ec684fcfc1936e3c5f159b78a9f7c385331560d705dda2017f8
SHA512d4ff51c81883799078b240480923a3a0be3824786fbf2a688e2ba52200f401416a19bfe0889bb699cfb454bf2ecfc7003a9bd88a8ef75039575f989aee6d8383
-
Filesize
1.2MB
MD5ce431ebd7bd4baf918a04b136276b581
SHA13bfa5ff5d63b7cfd2cfa346db76ef0129e7fe4b2
SHA2565bf90aa258cd806456239ea878a12d70afaab9250530075abff7f7d1dbe84436
SHA5120e09d60d29dd554b6f52b279863b81d5597c80b0e4006b16d7cfb0103404feecb1437ee5920876cc42fe261731b753b7e1b9de64cf9b432e1bc30548f6d30725
-
Filesize
1.5MB
MD575d8d50bf5252ecd53192c2e419a5420
SHA1a6be45e0e9f3f49af5692d62abc7803149b318b7
SHA2561d2e7d240c0722a447cac150b4f200484979a4e489f2752cffc08b44392f8552
SHA512519a90488d00158a905b8a2fafb27436c218aae57b7732c0aeb02219dea932b62ad39ae0da67955ba90ec4b649d791134709e721fec2558b20bec55202c0d793
-
Filesize
1.8MB
MD5e02391510892a7dbaca87c82eb241876
SHA139b089e91b6b390509d3a9e1d082bf9d34a0095a
SHA25627c6f220ba7f539742b579a712b325be3427853e0ce3446424b9532cac36b9e3
SHA5120913c52b614482e84e2ea551df28b5260270c5806da5bd1b100bcc73e87bc55b0bace18141e37da0a820af4d9312c64a3a7958dbceb79cf3fa983410ee8fe80f
-
Filesize
1.6MB
MD5ed5ee6daa0ca12d21a5470df9d4b737d
SHA1b348cb4ab422fd4daa66f1e6ccd6851130454b07
SHA2564feb7443de41ce6ed30a6221f5c4653ce93d834233bb13cb911e3dfed0257645
SHA5126f79ea04c7c7fe24a5e94a1a8f463889a0fc15702068de12e87e31793a4351dc2b2a894c2d288926d45a803a809fc0fce80b4a331f2333604746e99c66656ad1
-
Filesize
1.4MB
MD523604ff244e97d7ab7ef0063e7b36907
SHA1da8eafc53128fd683835dea27464714bcf8ae4c1
SHA256e125aea996a333811187d7cd7a45039fbde5d76b2eef5980a1b9757fae7881be
SHA51235d87d388651bd6437e35483f54774412f2a56bc451605abd2a228fc528efaad2af06b8dab686dab2d17a55e747089b1ccfdf118873e1ba082d18825d4da502a
-
Filesize
1.8MB
MD55852220f485bc1ea34511840072be800
SHA19e340e64e6e041629950b62ea67655113941a5b0
SHA25653ffeb90c0048cc0b3202ddf3bc7ce5d834d4e7099f0ef8a0ef947e6ad3c1e26
SHA512d3eb68e8c1729eca355015a0add6df199b27e95dd0b9d76531e20512d921107226c0566041d5118e14c5fa20ddc73b302ed6c5a300baf24269119a95f1bcf656
-
Filesize
1.4MB
MD56fc0a79669887a5dbcc4874808809866
SHA1b08dbd727759d45c4f418f1597503dce41c431d0
SHA2567cd482cbe48929352e1b967262f1b55c9a798883ce7353a9c673acf3bda7fc5b
SHA512ef79854962c7c86ea1d16f5b0ec1665df6e3790e32f22f5b586894e26aea90fd05038a8eea272ad20502ccd05ff1c35c7016198a5d45abb33989cd20286318cd
-
Filesize
1.8MB
MD5053a8f8dd182e7c31d39d5497080ced4
SHA1c60b92e6bcc99d1062396beccd2af218a705b337
SHA2568e579eb066ce046f1c499e4f29603d4a27ac8ded80993eed52526531e5e2c94a
SHA5122ae03802e6dc0f7736494a82231275130488a105e79ac8470808b08daff82853e36b0b6f436acc96a7dc8f3b5df7c77dbe57e1bf02904b8170ee1184fae85767
-
Filesize
2.0MB
MD52ec9e5edca26c558869d2e3ac8fcc889
SHA198abbdeb9ca237a6aea7914e584f0a8361bc9728
SHA256c8f60dd3f0a10124425a9d94cec00212a7b5dd3a3e19a4a48a621cbc82fb52a9
SHA51253ad6ae89e09f4d9c7678b0d9f5b5328cfff0604578c6182ac2984866dbed773492661f8dabc1cdbf40d8a87c526a8476b43bd74955f1ca36fe0b08b1f424a39
-
Filesize
1.5MB
MD5f6c5661662f61d84a5acdacc56cbcc54
SHA1878eba212e155baeb7d50264f9efbcf56418ab45
SHA256c9b09a2a491b8ce96dc427755c25dfcfd9188a2deb0d9e5ee42a94bd5fd5c9e8
SHA5122dbb7f9e931ee3db933960aa36553aa8d8607556311d3a00fcfa2f1a6626e6f4cc0245042172b56ab83ccb99b34a0493a3368edbfeda374331055c0b5cc31b28
-
Filesize
1.6MB
MD5fcd82f93a74b45bf11e8773cf1526365
SHA131b3d6999fba74702e273d105a043ea7e35bf51e
SHA256527470671ec89e4db85110e117bb255e0fdf69311e9a7a9c7cdcaee0458a47bd
SHA5121609d675416809f20cb84e209d82a11f7cfa9519b847c68180c12811f4b13877c7ea62573d4b3f9ec3280118efdf270aa4594a1bea124f6e90853f4ae7bcd27f
-
Filesize
1.5MB
MD58645197a4d9c2bbbeb58812ae79cbe3f
SHA110a06c9378efa1e42f44201b54512a193ef0d696
SHA256fe9d0dc21eecab76ffbbe465cff2d37a76d7b9f0bcdfe8a8fe9242e5b56b6b1c
SHA512ff43b8c5b25d0629da309119195457b4c5c3efd5e3d2979c22e3af38c51f73ac1fe6dad9e79199ad55c2b3d4d4351f85b429a1c562f1bc2102f8eccece769239
-
Filesize
1.3MB
MD5f9e86ff597ce60883386ceedc2c7f4cf
SHA1b63218ead7b51804153a7c68ff52e9a645374e9e
SHA2564e42abcf43fa9a0313310a04dfa88e7e4bd85623aa0be90f7bad8e33d18372a6
SHA512b55343230ee93100206fbe947b7c1461183525aed61fb82a085bae3b7c4334795b2d13830acd3173504bc414b38e240db93be59750009d1c4c844277dfc02818
-
Filesize
1.7MB
MD53e53acee892d734dfa270127743b0ba6
SHA199ddffcba167b3b9b2d8330e9fbac89d4baf4ccc
SHA25692aae7d30a12522d65e4b90c7e42a3e2054ad4a44f67141f2fd0a4c8607f2ee7
SHA5123cb82f75adfe788c0dcebefea2fdc7ff4e5abfb6e26b43f30b2c96cdba98fb79f57a51723b237d180abaf41c19d53fb836c24b933613b0822870993f7c30f041
-
Filesize
2.1MB
MD539757697d47673c564a842094ac8fcfe
SHA135d94424554d2cbd7a96ef1eedcc50dfa2e3311d
SHA2561d5353fc299b33434fc80c0a4454af3cf033d4f355ba653a50f60e8c3fbb3314
SHA5127ae8c895cca12b299fef751563fda8d5ea6c7fbcc448e2a32b805475127dc3f64371c7a3aa5a1aefb3eabe0bd28e2788c0c57a48e277ae69432d725a28a1eb8f
-
Filesize
40B
MD52f356fd7d6ab9640c82881fd6ca23617
SHA12850cee0903aea112835caa614e340663d5e004d
SHA256cab65df1c84361a06e3db00485b191bfb5231b9ae9203a34aa713dca7180eefd
SHA512a84c1335dc783b68295ff907fa2ce5b55c13b54645e0266109fc2612d6287b7445b555638cc8bf5282d4037dd9fca9891f685410e7c477a2b39ff29e6d31541d
-
Filesize
1.3MB
MD55fcf7c1b36ca56608ecc69530670d607
SHA13543954ee580a6f3066f8b51ac78e2c56a50f1ba
SHA256d4ad7341f98d6ee7847fd61fd43dc43287ea00d9ecaf6827b6d95c80a2bc671d
SHA512e63591540764f76f03f54a28085695a58e0bccdde20f117b4c8d4cdfc414388a37ea13f44a773fcf1a858a6f6c507e9bd2ffeb39ba80d133964d26eddf144ae7
-
Filesize
1.8MB
MD5579dbf39c16b69a22fe812db7d4efe84
SHA10eb64ec5999312fa6ea343a93b236a01749eecbf
SHA2569cee4edcf81d996b35a4e0aaea49dbdced24ddf530374f83bb132bd4b311959f
SHA5123871deea340a12896b7d9ce2b8ba45d7f94bd0e14fbae713a17226e801f746a75770a95256ac33c0a904788c5d326124e510dab7a418cb5dfcd227fc5965e1a5
-
Filesize
1.5MB
MD5f56b7624bf5e97078bbd87d62e001b3c
SHA16c5bba6265a984465765e3b2327dc1f32d9123a3
SHA256bcebe2bf589fa981d599dc6c1c2a2a35e9a5baf142fb0a4a944d6b8672f121de
SHA512ecc1eb1fcc612d3b921d9ac977ebb7901aca9736d07ed237324c91bf42bcb540e7712ce4e35fa46839b1bd813b12b08eb4a30414abf1fc6513b450a5e7b59b97
-
Filesize
5.6MB
MD51563e2e09eab9bad0e315c54e485c3e3
SHA16187f80b8a14b4b849b0411b8f718fb08eb78341
SHA25658ec4e22733fe8d771d8cf7971c8c1a260cd14b31c9ba3f36566fd2bb2721ac1
SHA512423931876ea4937757b06bfb3f5c2c963a1950d7f0fa05698fae5fc91cd4d97fc8b62b46ae96b78c1fd0c82fce00dd167e56ade80c59c9a364158634a5683856
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e