Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 16:49
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe
-
Size
5.5MB
-
MD5
7bdd1290d3c1f111916bbef19cdb9c0f
-
SHA1
bdcee0d703c5ed4b154a8692631c352c27a54850
-
SHA256
9f856ea960089556bffa00b66e715447b30d8ab90963d3b7654c8e1fdb7e72a8
-
SHA512
a358addf39239695b599ba2ac0c8a9f52f10de8ec1f7d8d215c9597e7ec8c2b9c5a1a90bc95e1bb30faec92c8f6f45ed58f351927905cfb1f213c5cb0bc2564c
-
SSDEEP
49152:JEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfJ:dAI5pAdVJn9tbnR1VgBVmaqj2FAQL
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 688 alg.exe 3460 DiagnosticsHub.StandardCollector.Service.exe 4000 fxssvc.exe 2104 elevation_service.exe 4460 elevation_service.exe 884 maintenanceservice.exe 3944 msdtc.exe 1348 OSE.EXE 4664 PerceptionSimulationService.exe 3372 perfhost.exe 4432 locator.exe 4212 SensorDataService.exe 4748 snmptrap.exe 644 spectrum.exe 2632 ssh-agent.exe 5228 TieringEngineService.exe 5380 AgentService.exe 5520 vds.exe 5608 vssvc.exe 5788 wbengine.exe 5884 WmiApSrv.exe 6024 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exealg.exe2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\system32\locator.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\c5e1cb6b12d07ad8.bin alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exealg.exedescription ioc Process File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exemsdtc.exealg.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exefxssvc.exeSearchFilterHost.exechrome.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013dc95b10b89da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008674d1b10b89da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081ece6b10b89da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b419f9b20b89da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9292bb30b89da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f4b08b20b89da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b60fcb10b89da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133569822057996951" chrome.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0bf1db20b89da01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
chrome.exe2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exechrome.exepid Process 4644 chrome.exe 4644 chrome.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1780 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 1848 chrome.exe 1848 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 664 664 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid Process 4644 chrome.exe 4644 chrome.exe 4644 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid Process Token: SeTakeOwnershipPrivilege 5080 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe Token: SeAuditPrivilege 4000 fxssvc.exe Token: SeShutdownPrivilege 4644 chrome.exe Token: SeCreatePagefilePrivilege 4644 chrome.exe Token: SeShutdownPrivilege 4644 chrome.exe Token: SeCreatePagefilePrivilege 4644 chrome.exe Token: SeShutdownPrivilege 4644 chrome.exe Token: SeCreatePagefilePrivilege 4644 chrome.exe Token: SeShutdownPrivilege 4644 chrome.exe Token: SeCreatePagefilePrivilege 4644 chrome.exe Token: SeShutdownPrivilege 4644 chrome.exe Token: SeCreatePagefilePrivilege 4644 chrome.exe Token: SeShutdownPrivilege 4644 chrome.exe Token: SeCreatePagefilePrivilege 4644 chrome.exe Token: SeShutdownPrivilege 4644 chrome.exe Token: SeCreatePagefilePrivilege 4644 chrome.exe Token: SeRestorePrivilege 5228 TieringEngineService.exe Token: SeManageVolumePrivilege 5228 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5380 AgentService.exe Token: SeShutdownPrivilege 4644 chrome.exe Token: SeCreatePagefilePrivilege 4644 chrome.exe Token: SeBackupPrivilege 5608 vssvc.exe Token: SeRestorePrivilege 5608 vssvc.exe Token: SeAuditPrivilege 5608 vssvc.exe Token: SeShutdownPrivilege 4644 chrome.exe Token: SeCreatePagefilePrivilege 4644 chrome.exe Token: SeBackupPrivilege 5788 wbengine.exe Token: SeRestorePrivilege 5788 wbengine.exe Token: SeSecurityPrivilege 5788 wbengine.exe Token: SeShutdownPrivilege 4644 chrome.exe Token: SeCreatePagefilePrivilege 4644 chrome.exe Token: SeShutdownPrivilege 4644 chrome.exe Token: SeCreatePagefilePrivilege 4644 chrome.exe Token: 33 6024 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6024 SearchIndexer.exe Token: SeShutdownPrivilege 4644 chrome.exe Token: SeCreatePagefilePrivilege 4644 chrome.exe Token: SeShutdownPrivilege 4644 chrome.exe Token: SeCreatePagefilePrivilege 4644 chrome.exe Token: SeShutdownPrivilege 4644 chrome.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
chrome.exepid Process 4644 chrome.exe 4644 chrome.exe 4644 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exechrome.exedescription pid Process procid_target PID 5080 wrote to memory of 1780 5080 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 85 PID 5080 wrote to memory of 1780 5080 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 85 PID 5080 wrote to memory of 4644 5080 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 87 PID 5080 wrote to memory of 4644 5080 2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe 87 PID 4644 wrote to memory of 1668 4644 chrome.exe 88 PID 4644 wrote to memory of 1668 4644 chrome.exe 88 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 464 4644 chrome.exe 94 PID 4644 wrote to memory of 4100 4644 chrome.exe 95 PID 4644 wrote to memory of 4100 4644 chrome.exe 95 PID 4644 wrote to memory of 412 4644 chrome.exe 96 PID 4644 wrote to memory of 412 4644 chrome.exe 96 PID 4644 wrote to memory of 412 4644 chrome.exe 96 PID 4644 wrote to memory of 412 4644 chrome.exe 96 PID 4644 wrote to memory of 412 4644 chrome.exe 96 PID 4644 wrote to memory of 412 4644 chrome.exe 96 PID 4644 wrote to memory of 412 4644 chrome.exe 96 PID 4644 wrote to memory of 412 4644 chrome.exe 96 PID 4644 wrote to memory of 412 4644 chrome.exe 96 PID 4644 wrote to memory of 412 4644 chrome.exe 96 PID 4644 wrote to memory of 412 4644 chrome.exe 96 PID 4644 wrote to memory of 412 4644 chrome.exe 96 PID 4644 wrote to memory of 412 4644 chrome.exe 96 PID 4644 wrote to memory of 412 4644 chrome.exe 96 PID 4644 wrote to memory of 412 4644 chrome.exe 96 PID 4644 wrote to memory of 412 4644 chrome.exe 96 PID 4644 wrote to memory of 412 4644 chrome.exe 96 PID 4644 wrote to memory of 412 4644 chrome.exe 96 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_7bdd1290d3c1f111916bbef19cdb9c0f_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1780
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fef79758,0x7ff9fef79768,0x7ff9fef797783⤵PID:1668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1888,i,10106217088650288226,15786608831216973553,131072 /prefetch:23⤵PID:464
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1888,i,10106217088650288226,15786608831216973553,131072 /prefetch:83⤵PID:4100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2140 --field-trial-handle=1888,i,10106217088650288226,15786608831216973553,131072 /prefetch:83⤵PID:412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1888,i,10106217088650288226,15786608831216973553,131072 /prefetch:13⤵PID:2444
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1888,i,10106217088650288226,15786608831216973553,131072 /prefetch:13⤵PID:2944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4632 --field-trial-handle=1888,i,10106217088650288226,15786608831216973553,131072 /prefetch:13⤵PID:3956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4864 --field-trial-handle=1888,i,10106217088650288226,15786608831216973553,131072 /prefetch:83⤵PID:228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4884 --field-trial-handle=1888,i,10106217088650288226,15786608831216973553,131072 /prefetch:83⤵PID:4548
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4800 --field-trial-handle=1888,i,10106217088650288226,15786608831216973553,131072 /prefetch:83⤵PID:3064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1888,i,10106217088650288226,15786608831216973553,131072 /prefetch:83⤵PID:4608
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:3976
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6e7687688,0x7ff6e7687698,0x7ff6e76876a84⤵PID:2176
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵PID:2816
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6e7687688,0x7ff6e7687698,0x7ff6e76876a85⤵PID:2832
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1888,i,10106217088650288226,15786608831216973553,131072 /prefetch:83⤵PID:648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2732 --field-trial-handle=1888,i,10106217088650288226,15786608831216973553,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1848
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:688
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3460
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2220
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4000
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2104
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4460
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:884
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3944
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1348
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4664
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3372
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4432
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4212
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4748
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:644
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5132
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5228
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5380
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5520
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5608
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5788
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5884
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6024 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5376
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5488
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD55e5420e62dd294331c4574bffcd3e7d6
SHA1950e9cf9ecfaad1fd7ec4aac59fc0398575c2c8c
SHA2567afeb8fb1a2e2ed971a0957e05058dbaae97982e765a0f64e3a143e7668265d0
SHA512c74b94f5265f8793803e65b6ff4300c0d9a62034e64eaff262b4c95cb5f72cab88380498c4840c5cfde771fd598d61b1d75d78c9e1e9d9f0f1d93eae94129119
-
Filesize
1.4MB
MD5508b51202d5c845cb3b1cfc56487b91e
SHA1bb3627e50e9681d0af13555541188fd9d47a1802
SHA25636e7c58e9104e9bb8422cfd70fef1c4ee2d9ae5812a6ef9642099f8c5f368226
SHA512a4c76ac74cf1779c37e5191acac99703694725405ab2b13de91ce06169e6ddee3b7b3120a7689f0d2f1de38bc90d5e1b50de7cb65e98350e70b14ab045de7f63
-
Filesize
1.7MB
MD54ea31b6e52236124d3840811fece30c3
SHA15b87b9908bee54940b81ed72f78cacae32966b97
SHA25645d681e54fd0c5b3789771bbc532c0dc51a4388dc16f52e21bda5246897765b2
SHA5120afd94456dcab38f1f55bdbc4c7e8ea245bfb4e17fbc85f8858683a15d90aec6e6e92b0db089fb3895cfe24330731f422909828fbf441ac024291633590ba1b3
-
Filesize
1.5MB
MD58b49720b9f7cf1edf81c608af1150076
SHA1a8d8ffd37e50defccf09d7a41164c32810b8c126
SHA2564aec819ba9f0779e6e3333a08dca50efb3d8a8c62978943ba60c01c1af78e0ac
SHA5127b09c5dcb4cf1486e52b7e3451aefa5c81bbf7b214da6ca4f3119fc7625f7a41cc80acf74782b2a52268603d6d2c32674c9dafc8989beb4c6a350711fc507a90
-
Filesize
1.2MB
MD5ee0d7088a86fcedccf290afbe442eb53
SHA1aceeacfe95dcc77f6134e6d4f388e4b40d9e3535
SHA256b8851abe74497abaa94058b65a72a07aa31b6e1bf9338c7b0aaa00a2cf822599
SHA51270c586a29d0ed50ec0cef00e6e715e8e444aca2af46eebbf92f1d8a2be607a8393a195eed2b271af230602baf7daf69752e0b43f633bffd00b3cefd389b6594f
-
Filesize
1.2MB
MD5ef0386c82c87a2bf86402e0c8b985d0d
SHA1d234a3c7abf2d2695b9ccf9690e0737e809f3a99
SHA25628d98f67fdfc77d9530584780b8b6340023ee926d97870f61ceb44db868d9b99
SHA512b02d520b9d939ab3a211ea8ff9002bd6f42acf832a7b69d0166caecca63ac3851b2c7d71973aaa8029d9932130249c5df3806f436d564fd0d0d83e808456fc28
-
Filesize
1.4MB
MD52d4c22a40bea5b8ac0014d0d8c96a4f2
SHA167677536ea76f0764ff711afd20f654a35533225
SHA25699168c830a77c1d2941b1ab17ee982620a345bfc87f345db1b8a8743dec13b72
SHA512a7d99f91b4262b3f211234ec2dd8cdd812b3d7733ce4990610076cc0ea81571c7dbd8ab5fa21f7956019cea545b87d19c218fffc2695c4d08e74e05d7b685667
-
Filesize
4.6MB
MD5bc67d740494681f47c87eb77ebe44f38
SHA132495232a27932d92d7d406679eb5102128a0f0c
SHA2564955cc0c4175cc83ae49bba3254e0b339de2bd5de11769fce72a9d4245da822b
SHA512641f5ffe2b7354bff881cdac80322d936f50f577fe22fec608fd2261e8d7cf38e350fa6f5f14028bf2edfa2ded96e0196e47cd1294e1fbdd1251a8185c79e141
-
Filesize
1.5MB
MD54bb9e04742d2bf31be80bc5e85ddb26b
SHA14dd807202edef3b213bcce4d5a634f488a5c9fc6
SHA256b9cfb453e7fed22e647eeb5109ef22d895bc14e6528ecc8e9afa9165cb5aa16b
SHA5128b7469b427d142c4829c3dab4860bc1f64d538f2f2d0a84602ac83537f561466c18bd62ed04bef2c464e4c74096f24f7a795a5e54a0b175aae646304b7e4819f
-
Filesize
24.0MB
MD5992bc5aa3c5cbed91b7463c192f0d23f
SHA1edb8ccb316c18ef739a6292e42eed40d6906662c
SHA256733245c331a71852e02c913e3a8e79c8d07528b0d91c737972fd8dd4397a48ab
SHA5126e8e7aeb0d54c8036b457082c745b931fa3c1a0bd459e840fc17d890a82ab49364c5838464e1a8ff892595ee7d93c0c382afe7834f9b9c615b040645cab3e50b
-
Filesize
2.7MB
MD506c41de5ff8bbf966af26c03b249acbe
SHA1f311c289cef28db90ef57e19b81f09f2359238ee
SHA2562ba6c5bbdaa145d7b1af8f777b20ae77c400e3966f06531e194f74fdc3022b11
SHA512841553e8d025ccf520afefa4e23a85074f3f702137ac1f0002a1ed3c2d5c99e7c38fd5209a04678ce48c4070935166f306581dea9f325c2d1e62e67fffea18e1
-
Filesize
1.1MB
MD5a3fe376577a5dbda52c5cdfef50d50ee
SHA111beafbf8be17e64f8103eeee0bea05bc6006346
SHA256ebfc4f0c87efd5619a75878a823424e1bfc95ef948eb8545f46e34ad47620919
SHA512829017f7ee835bf5d2e47ece83c4d40790e04c70291c6f9e63ef63e148890dd6f724896efe26bcaba1b97d5be2decb767520a20db3b06fa7be3245cbb872378e
-
Filesize
1.4MB
MD56fb253acedf1b09876f5828f93942ce2
SHA1d32d777f6a375baa54433a250980c83c6269e1e6
SHA256a5c7b4bc4af19b61f1cb10589712bf5b59f751b94488aaeae8f10d6c3df32f04
SHA51294a253e25788f8e973cd9f6b32944d34ccb355eff00321879d39de3da483edc759c392fb0e23335adcd02a42dbf1a8e4d90a1f53321ce9ac233b71fc0e814864
-
Filesize
1.3MB
MD5fab707aeffc640c6f0582bc2bce1b9ac
SHA15431ee5599e666cd5d3a652102dbbb077f5f7353
SHA2566ba84ffdc3bda08774ae4e9443161df2989b633cda38d7234153594106ebddb1
SHA512a83a117f994945e8a04b17e31e7a5eed7c4502b0d3948f79d6f0113994ddbf77f5491c21dfa1680661446f5eedacdd7038d3b09ed907cff2482a0e4224c2ea04
-
Filesize
4.8MB
MD585e2320a5f738ada0a93c7c5eb129433
SHA17f19fb1f4c6f99aee158dc782d2f44e6496c3acd
SHA25687a3999d68700e88a140f761c7952df626dfe188177a8c2919ee1892fddaf245
SHA5126663815b02cb8ebbb4d73a454bab1195da7784da42ffa1acf6aff265313a8eb593510ad12e010867050940d3dd31f0594e9ca6cfdd864fee7dfc944419a31889
-
Filesize
2.2MB
MD5d2fd404ef5accf74fb2628c7d8230c57
SHA1d3f12a0042c132907b0fc0b6841dbc7e810db29f
SHA256b1d0daa514844d18d69f294f056aa62a891260d0cfa50ca3746c1c3bd7714634
SHA5129f552ca90c88278c912f2c18fc6f3177342b7a3432930f762074c05fbfe385429584df7afc674f8eec9d55422e3be7f2768822fabef3fdd6ac85b0cca18f99f4
-
Filesize
2.1MB
MD559acd2eb11eb55e88f7581dad703f3d9
SHA12e870a7762d6b5ed0e9231702dfb7a8cf75b3390
SHA256bb2beda0ce25e47c60aace97d813ca489e010fa46997f3245ab5ceb9b5b25140
SHA51242045bc05f4f300492c61276fa970d0f1b6e2a2184a97cc387cf32d2ef6ca9520b7caf95a1fdf8c385c6d2c78d758cf5fce95b94c997beff1d59b693c0650d71
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD5f3d1f41d24c4104092aa273b28bc4b14
SHA10843a44053e37594b53658094b90fc7c2a0683a8
SHA256aad0f8f981c61c58a91a7d31898fe7b37d7f1c0e6876a9f9a821a864158b1c6d
SHA512d4924bd78ef8ebce767480df2947ed88aa2c5f320638ac701ece45424f4b9878fc3997d7fd05cca1ee250dd29b765b917dbc53502988515d0b5e2cc461bb5a5d
-
Filesize
1.3MB
MD5cfbe03a789cd49a78135c9669fd76a2a
SHA1fae530d899155c7dab96c4032809ec36c5d061bc
SHA256ab4089fe053fde71b2e6abb78b10c4f2594fe995743cd5232db265bf7c0fbc60
SHA5129b855eb901c78eae0cd401d59eb9b9697496959fb73e594245f5521e81ecf1635c758bad0925144bb204f7c801713ce291ebecb12bc11a6e4ae339bee19f65bb
-
Filesize
40B
MD599cc49358cfa3628888247c84b312722
SHA172df90d4341e204b5d695a65f8f0575d75d6d342
SHA256570055b300595d9bee19cd486aec73f2e432043cc1a510b5075bc55da6b32757
SHA5121b3f0129c396f2e582b6e1316e622f9faf71776e5878c95e71a961e4851f9aa90b651f0e3c3d406602c79f377776df5c8353578f44673359088ba16998fd614d
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD54deeb776a55f068a7d1f13cff59979ff
SHA16bbc51673549379a66e55680e0641d54115098c4
SHA25639ec5e853a3a5c4064d755d166548acc0520d8a74a34579ce12ba878f2955f99
SHA5128f13ff22146446a3e9bca3936dd4ccce0971961a57fd37d6486d1f0c800e2974543853a23b51acf3be6bd78db786b0a94c4a02102c45f9d3e7b2a18def4f9346
-
Filesize
371B
MD57c575c1ac2e9fdf018dddab97de461e9
SHA11c57b0db2fc770ffcf9574c772143340bbef8345
SHA25649a18146c83087f0d993b81e91580487119981921d5c4a0b01b8a815199f8d88
SHA5121228d67e55497641ec01a0064d56f9a3b812fc01c8c91e2f4df64f7fc1116d1108d5a9aebcc68cfa41c7ef92dd93f77eead5d44b67236ec9c0681f9a46f36d61
-
Filesize
5KB
MD5013ef36fb7308fab4f0e42a7e24c1952
SHA1ae4ee02478de47afc27dbf5b0fae5ac5beaccb82
SHA2560d0a86800ef96390e13122365aafabb87c9cb9b56317de7e005516daef2c425c
SHA512b9dde6fa27bad63d25c3e5cddbd5271af125addcda1ad3db406cf772d9ff99e6ef8154b9a7837700692c2c2dd730c1e51ae9b821524c744aecf838dcc2e53f80
-
Filesize
4KB
MD59c15827dc195825b7cac3895848936c1
SHA171daaf270344e0fe0578b06822dc56e59cd441e5
SHA2567430471934a291a112ffde0cd5a8c2b8a4a89353fd1a511860d492f2028f6eb7
SHA512d235ca5e79696b427b608d10858ea12c30df5cd5bac1daca71057e8b917a53916197165cb0f11bef2bd9d93f5412a96eac00e77b16b5c2ec7ec9be25090656bf
-
Filesize
4KB
MD566a95f0b6586cd07952687a8fa22f877
SHA1da2150e2b16522f172d97e74456daf0432437ceb
SHA2560155b24ddebb79e66afac2b295ca222ebe252bcd7eacfcb5abe263f48968dc44
SHA51200f3af94f3ff29c594475c699a55f47877b4b591d2141e29a70da997274f84e889fac740d7fef8ae804d8cdf5178052721f79f0ef84da749a809d771c111ccc4
-
Filesize
2KB
MD59789813c7b351abcd4b4cc4821874f82
SHA13c3839cb1e6fcbd66f3c6dfc092f3aa49c057c03
SHA256899961eb96b3c34c8a0b0bed8f6e6d81c5979592af5cc0144590b71e394bf7b2
SHA5129c8dce395a863812d3b050b5068e97301309e46ae0c69f6ee0f8539f3dd453d269bfe4865d4afc6a8518e4b85ac49f8901fc937ca19da27a1e5bd178e3774a76
-
Filesize
15KB
MD5c1cb597a74a799c5d7b940177656e0d9
SHA1d235225f0cbf40b0309c79af7e11de35a9b74517
SHA2566e930dcddc3608135bf0e26c02642194868b8bbefc9d1cf8c67a67e5bc7b104a
SHA512358711e711492138acbef7df11ac1b8508acf2bdf2022831cae13787ecb5f4d1546075874b80c162bb2964aea514a65c32cdd2e544a5bf6634f8eb0856dd25f8
-
Filesize
260KB
MD5cda6858c055d1217146411341326109c
SHA1df79c6d4705865ab35547326b3f8e4997d587f5a
SHA256eac27e49fca44c82fadd697186350f14a0bc5e70e02fc76e582c823d5e4d54a2
SHA512f005443d7cdbdd8177f4d9e0a404d18a87b64c69f4ee61409b75ee1b6b103496bd6cc52da22d5f9f6258c85f99acd8b835944e22d5bfe1d80e97d1e1d7603893
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
7KB
MD5641afdd25b360f7cf469c126852f39ae
SHA12c838b4056384ea3053ee90d81c6451a16083972
SHA256240cc83aef6c696ab7eb22aa76a6b0a4c5cf8f98b9d5dca64e985d5dcbb882dc
SHA512612872bfecc460ae7b2a506016f5d87c64fd5884ae216921277e2cd4f2b0ccaec0cbaa6013ab057987cf6c66ab636e24305f8d3974a5bb779e9fb7e311c92f01
-
Filesize
8KB
MD5628f540fb6d27b8fd06a705329a15424
SHA19352346043e210fcba5a99411a9b6fd4b306710d
SHA25649f4e7a460f9a6d7b3fbfe186a2d803b25acf6e500b4729d4c452a356ea81304
SHA512bca5a99e7f0415b331e6c981ef806e9dc22ba8a630c9024c8f96d2553a5eb603fa6c546bc4e4af5a7a3707a9142bb0782cc466d2058308efd00ce8cf3e7e63e5
-
Filesize
12KB
MD57258276a676d344384a817a04c9e443b
SHA14c67d872cc19bd62069a41cefcca3c0d4dfffb42
SHA25617ef6ecd60b41fe90e6bc5241c73e6f62c97b02f35d6f72fd7e1e749fc20085e
SHA5128f7db30e719221ca4b83076315005dfd17f49693c6fa6f26fc6eb110e05c416cba778b3a6098bc39095be7838eb6b4723a4e227da9e0599d9656e01dbf41ad77
-
Filesize
1.2MB
MD5f3e9db220ac0c7d16b3b3c08f9a22393
SHA1001200181284061745772182a8838f3286762069
SHA256b822dfe261d0d9e791110d7a0753821194cdce863804732486b50517c7178701
SHA512f6d267346f47fae0081cb0049d4c56e2d1ac9736f618d0c0a0cd0f60823634151682f56cd6a0298428161214e36146800261d668fa025a096df17bd1addd998a
-
Filesize
1.7MB
MD582209f7b936b521292bdee9a04e6fd26
SHA15e43facef769738d91e87fe5f1e76bd51875e0a2
SHA25698960fffdc5fdda40c800f1ce4c2648da734378e9871d58327819ef67d8f810d
SHA51210c19a5c7b0d80962fc95aa69c23efbdc2b5661a22eed0860a7f9dec361f12c499db92ba543bed920b78ca1e2fbb62e4e8c256ebb0f395cd38f68eed9c3c3ea6
-
Filesize
1.3MB
MD5051a095996736dc1030e0d99e52fb5e3
SHA149d209e493f8220fd5c9620d4ba1844a2c578bfd
SHA2567614ce2074595a4731ffc84cc3ddda68b73f73cfbeeaa1f2be67aff895c5836e
SHA5127ea94bad210537a88ac9b61fddc17e0e8635cad883ebee8d8ed436ff3f8a90609219b0d545f7b45bc605d0332e453c71f3502501cf942494062b1cdc6f8587a3
-
Filesize
1.2MB
MD5cb9d0c7ec7bf0435ce33720198cf0b7c
SHA1778168ecd683ffa5c95427cc3ce2a6f28af6f734
SHA256d1bf400d5b98a6d5edd35bedf8ae8e172bc8fbc5d8241a7f6b63758683a1b95e
SHA512df73f4160cd60cd1f0e6b86eea7229b302c3eac7f3f979a649d01623b08b41af83748b0d6752960ffad2842115ab06b6620b38698afe080b7ea6ab8fe727fca0
-
Filesize
1.2MB
MD5cbaaed38ed48ee9c055cafccb8429570
SHA19f7b47bfa5d814594d33e86127e1c48af515f0d2
SHA2561f2fed7a04700320537fe2a1e9f0406bec75bdf1378c9bea8088d4a4fcc0d565
SHA51252a152f1f6f0259a73111080c39eda5cb0b36b5adc3bcbcfe31016acb9c87dc847716a47121f98bb7d749ff3890644ae5804877aec46ce0878f464c43e86e07c
-
Filesize
1.5MB
MD5bae4a049932568294ade8ae2bf408879
SHA1a653e85344ce61d153afbb0081e9eeadaca8e8bd
SHA25610b775e474829cdc633a04551e3be6f8561a4b8aec5ee79fc2d07310e04a86bd
SHA51222c7235c9ba42c087a646c297e8ef80f8af24e5652967b3eb1fa3ca3bb847d5e912817317c66d388f725e447b8732309755797edea5c83b2957b4757905f2a4e
-
Filesize
1.3MB
MD542b13b8b3d1cab212b2b9f9da5811da6
SHA13b95a8d6376735b4f4f7d659f8d40c596fae4d6a
SHA2569bb36d578159417607274e3f5fe3d9c8d786e125e38625668743b5d70adf1d6c
SHA51264a48e0d4e04be502ee0511c2210c4dc38b16134ad8eda348cd93d5d78376721fd8dcca0de568379be4874ff4d389c5ebfe5eb0cdbb0d5d16a05212995cfc9a6
-
Filesize
1.4MB
MD524a6f4cb1297edff4befe5a708e6767a
SHA15f99ae237bd67e64066a610952a8b19b472b44e6
SHA256520cbfbccf7a91fd7a0554f6161194ae7d670e7f93699492d65c0e38970d373e
SHA5127b7f5942fb5163f60491fc644ec2fe974aebf55acf95cb5c3e6b66509cff4ae6f31125e750e93628f66c59bdfe9588009209bda871ad76cf36badb25aaddf484
-
Filesize
1.8MB
MD53b1dc2f04848d9b9bb657a4e3d0e76dc
SHA18333327d506625cc225e5d241831c3860003e4d3
SHA256422b099d66d4199bdebe0da86a4f95bccd6b8468434b11be967b6902119a796f
SHA51225d0a16c60a6e4caa8e5131504bc91aed6ac6abcf19371165c27084c5a3ef00de1e05c81ec4918c3f16a394bc0278bfa289c3a9c668ce6ab558102d10acb4b4a
-
Filesize
1.4MB
MD5154ea444bdcbdb6f8ee271f9ec2e29b7
SHA13b1bf3c5a3e5c7b319fc7b40566588ad1b670d8c
SHA256b49a9f678fd18b28350ba79d977038ed0ce8d04a31dd6a425f8239e4fb79c8f5
SHA512258692f7ad3f7c54cf8526075cbe3d6b34ea1e7d0c2674c04ca8c951fbc18f33ab879ba6e15a1befa5cfbffaa52f72cebf5b0ef5bb94eb1e2670af7c71be76b7
-
Filesize
1.5MB
MD578f00e6b4002a0e4e2c7f07265be600e
SHA15582b88058377a7378325e3870b59f6910348f29
SHA25662d511b68516de104d90beddb9299999b201a9d5bb77acf269a1d4e4b0523c22
SHA5126b886a4997acc3e9e956b25f2ceae37d9811543897b9a1796f71d09ee530685555f0574484219de08590940c4553c710e48d76f3b3f0712cb6a95c43401ceb00
-
Filesize
2.0MB
MD5996f75b81c6f15ea5add78cb8b3d9607
SHA10491cecb75e038bc66a3ce836097e2c9c9e4084b
SHA256c4cd305994752423a2f6deca3cde833754ee42de7703698cab0409fa987d8097
SHA512c8a3aa063bef596e24c76bfa0dedeb24569d057a6f2bab5ff931f4b50f7f21f6f96fa02bff738d95f8edd63ee8f1d35559264b92750f08361210dca2f8cc0388
-
Filesize
1.3MB
MD576769d57217638a80ab3d9103e037b66
SHA1f7440ba63775cde41c434dc4ec8f1d66031b110a
SHA256753fac1135701fa4a572d57951cf8935d976c9610caef4f696c7699eccf88b76
SHA5123fe288d99f28a9a29b57fe9b314213e2446e56ee38e89d85031ffeb11ebc78d7f5f1d93260cb606a5bda2ba37f0c95056531cf498bc44e1e9f86fb3b65e086c5
-
Filesize
1.3MB
MD526ecf5d7d24b795ecde1bbbb69455e1c
SHA1f0edad2b554aaa5d0c52358ddbd0c0a2dc67d3c8
SHA256c1319c50640681b936fa27021acedab0e0a0f0bb03c6166e1bf9be568aee732b
SHA512966c79dbe05b58f5863cfefe8ffa71652b16c0671b639f898da9628b9a59046f6baafd36f5283783c6a1d934c2d7c3828596d80db46d06990db54514c8ff5a10
-
Filesize
1.2MB
MD5edf3ae19bb04739f0c67447ffa478ac2
SHA15e03ee5a05e8af85f9230ae06d6ffb0931c8c61b
SHA256625a028cbc16d64ba59d7125bc86815b070b8cdd80d459bf6f03fb5218ae44dd
SHA51287fab7404dc350d33574d99a08c78f5cf41fc1c4de580a860e5446737d75bd87482fa1d70f60432c3b7382d00c4bfce9d069cad185d081c2350b46c6df5af6ad
-
Filesize
1.3MB
MD57521a90d0318668b12f8f71277ca9521
SHA164c38a1544bf062bd5d98a86cfff298cea584cbf
SHA256b60a687650565a6bfebc9b462e62e63ca4520a62eb61c2af6e4134b6f44dfc4c
SHA5122dfd96bacf41b5f70d0ee71b44ebced4ca3377a7b6f3f5156cc9f23c9aac7f50fea818fefefac491e5e8e20ede7cb1c666de7772e5b0fb915eca9a8411d02a7c
-
Filesize
1.4MB
MD5786194e55cdd4e23f0cab1e8afee03a4
SHA1b96ac96d5cb59d1acdfe395f1a3ac241a75d2f60
SHA256ed256f41f8e392a045f14f2ab191e5369307e7de6f313be4199b14290300738b
SHA51212d0c3dc3607cd3fb4b8b3ce9b069e2e03b45f741028af8da6b0b66546375402150d1632299886243a868f30f3e7a55bb13861467ebda1b45870d91b533bef20
-
Filesize
2.1MB
MD5fca0dae014f68c4bf422a45a3c8ce9e4
SHA14ef616bba1808cc0445474a004525cd7a8e4179e
SHA256c9c8ced3f83b06330dbb3326f8e601dc64f6ecd07dc72906f866e5ef8cbfd394
SHA51239a4a3f2ea26ead551f336f160d258d7c2679a2f0cf1ecf35d7b05d28ca3f597085660a65776479ee4260a7360de4f20d36bd8d0b1975e280bde404a6647ac3a
-
Filesize
40B
MD5a57e00e7b64144dba402c6db0f7ad149
SHA151a33fa8f038784838ba3a6c0fd16cfccf49de55
SHA25626345f4eaae9348eb9da6a4c6101dc723a2cd58c0f15d93f5c1ee628b6957fd2
SHA512a9d626fbae4b1da4d41e75520ebb2eee98cd2a4b9dfdf5f264e574b61f1acbf34c0bca6b1d3e1212ce37c8935a50817c47539b03030e1665a7dcc3a18dffa739
-
Filesize
1.3MB
MD571959ea473ec1eba706f52bb06bb3af8
SHA10a81143114984e1c1a484ca277df3d99b07e6ede
SHA256b2294f5b0d9aca2f8b286503b8f5c1c428c4084b5d9382be82dac0952021c139
SHA5124a95cb3374a170f949ac0b420b393575525a332f74cf26a2083c25da6eb80b92c05f7381ac5b601905f68557f9fa02f9d60502cde08ed7454c0409fd827cb1d0
-
Filesize
1.5MB
MD5e9b8088ad746fb947bad8e09f54d97ae
SHA10b08b588fcdc43477d37ef7c7a181988996cd059
SHA256308ea657cd3c6d605cb9e38a4e479f4028bf174fb843df79e8c0901c323ef431
SHA512016ee708c159b4b45edae80b0de118abf0827e955bc1beab7b991706302e89f4260a16ebe900e43fc0777046a420bf7299787438314631eebb96cc4dda25cfb9
-
Filesize
1.2MB
MD51014be42b42851f2646e25b649e7d80a
SHA1b70e1795fcf75194ed587a4a2f598c5a1af50137
SHA256489f6eee3ca7a0804c051fc37c3b62b2006fee7dde01c07ba617bc2d4468bc81
SHA5128ffc3a7c0e63a97c76b565527e5c00a3b57b1165c727f8a8b2fe8edadbe87bbf3b726e344ef4bfdec16a057a5e9e91d57798a03b32d9ad6b973cf0a45f38ef5c
-
Filesize
5.6MB
MD55d0848fbe9a8c3e315722ace27795302
SHA1ec0dafebf177335140a0202ef6d7604d1dc0af36
SHA256bd4f021c066cac796a8c6f72ce4efd7683b81a56bd09951e13c1d2afa6fb0dc6
SHA51241e5d3fc0ec9b9785443670f5a7c63a94376be88e824ab098698fff6ba474ab5c10008b82d40befb24012795db74b764d1535492959a20a3ea590f8fb04ea91a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e