Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 16:52
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe
-
Size
5.5MB
-
MD5
bf1dee869fb9420e75609ce2d49b2f3b
-
SHA1
461a52ec8d952e6bd03c11291f4961ca407670cf
-
SHA256
11881b281e509627e79578ae40a45e79942c54e0b2c16fd6c4ee574cd7c63685
-
SHA512
dbc723fa9a6cfd49d525e61945e8e3420749d159f1b6ca7cdc1a41052a1aa756f18201c4cd5b9c6c488a5a93547a64ce571768df81812b95cd3b1e97c47056b7
-
SSDEEP
49152:vEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfb:LAI5pAdVJn9tbnR1VgBVmcEnW6at
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 948 alg.exe 4876 DiagnosticsHub.StandardCollector.Service.exe 4104 fxssvc.exe 2420 elevation_service.exe 1544 elevation_service.exe 3984 maintenanceservice.exe 3608 msdtc.exe 1872 OSE.EXE 556 PerceptionSimulationService.exe 4060 perfhost.exe 2628 locator.exe 4408 SensorDataService.exe 4344 snmptrap.exe 1044 spectrum.exe 2912 ssh-agent.exe 5144 TieringEngineService.exe 5276 AgentService.exe 5368 vds.exe 5648 vssvc.exe 5868 wbengine.exe 5984 WmiApSrv.exe 5128 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 32 IoCs
Processes:
2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exealg.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\System32\alg.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\8ecaba9212d07ad8.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exealg.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\javaw.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exemsdtc.exealg.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchIndexer.exeSearchProtocolHost.exechrome.exeSearchFilterHost.exefxssvc.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000886a8a130c89da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac7819140c89da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d1960150c89da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a702d130c89da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002628d0150c89da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c03251130c89da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
chrome.exe2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exechrome.exepid Process 4548 chrome.exe 4548 chrome.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 796 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 5196 chrome.exe 5196 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid Process 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid Process Token: SeTakeOwnershipPrivilege 4124 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe Token: SeAuditPrivilege 4104 fxssvc.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeRestorePrivilege 5144 TieringEngineService.exe Token: SeManageVolumePrivilege 5144 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5276 AgentService.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeBackupPrivilege 5648 vssvc.exe Token: SeRestorePrivilege 5648 vssvc.exe Token: SeAuditPrivilege 5648 vssvc.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeBackupPrivilege 5868 wbengine.exe Token: SeRestorePrivilege 5868 wbengine.exe Token: SeSecurityPrivilege 5868 wbengine.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: 33 5128 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5128 SearchIndexer.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
chrome.exepid Process 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exechrome.exedescription pid Process procid_target PID 4124 wrote to memory of 796 4124 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 84 PID 4124 wrote to memory of 796 4124 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 84 PID 4124 wrote to memory of 4548 4124 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 87 PID 4124 wrote to memory of 4548 4124 2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe 87 PID 4548 wrote to memory of 4656 4548 chrome.exe 88 PID 4548 wrote to memory of 4656 4548 chrome.exe 88 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 5096 4548 chrome.exe 94 PID 4548 wrote to memory of 4872 4548 chrome.exe 95 PID 4548 wrote to memory of 4872 4548 chrome.exe 95 PID 4548 wrote to memory of 3884 4548 chrome.exe 96 PID 4548 wrote to memory of 3884 4548 chrome.exe 96 PID 4548 wrote to memory of 3884 4548 chrome.exe 96 PID 4548 wrote to memory of 3884 4548 chrome.exe 96 PID 4548 wrote to memory of 3884 4548 chrome.exe 96 PID 4548 wrote to memory of 3884 4548 chrome.exe 96 PID 4548 wrote to memory of 3884 4548 chrome.exe 96 PID 4548 wrote to memory of 3884 4548 chrome.exe 96 PID 4548 wrote to memory of 3884 4548 chrome.exe 96 PID 4548 wrote to memory of 3884 4548 chrome.exe 96 PID 4548 wrote to memory of 3884 4548 chrome.exe 96 PID 4548 wrote to memory of 3884 4548 chrome.exe 96 PID 4548 wrote to memory of 3884 4548 chrome.exe 96 PID 4548 wrote to memory of 3884 4548 chrome.exe 96 PID 4548 wrote to memory of 3884 4548 chrome.exe 96 PID 4548 wrote to memory of 3884 4548 chrome.exe 96 PID 4548 wrote to memory of 3884 4548 chrome.exe 96 PID 4548 wrote to memory of 3884 4548 chrome.exe 96 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Users\Admin\AppData\Local\Temp\2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2e0,0x2dc,0x2e4,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba3629758,0x7ffba3629768,0x7ffba36297783⤵PID:4656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:23⤵PID:5096
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:83⤵PID:4872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:83⤵PID:3884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:13⤵PID:1772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:13⤵PID:2248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4124 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:13⤵PID:2748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4044 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:83⤵PID:3672
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4908 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:83⤵PID:3400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4784 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:83⤵PID:1496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3928 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:83⤵PID:4112
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:83⤵PID:2008
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:4560
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7821b7688,0x7ff7821b7698,0x7ff7821b76a84⤵PID:5452
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵PID:5504
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7821b7688,0x7ff7821b7698,0x7ff7821b76a85⤵PID:5536
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=956 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5196
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:948
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4876
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4520
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2420
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1544
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3984
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3608
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1872
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:556
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4060
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2628
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4408
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4344
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1044
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3900
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5144
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5276
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5368
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5648
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5868
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5984
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5128 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5796
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
- Modifies data under HKEY_USERS
PID:5968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD55c8b0e37c55a9d4d916930aedac25b01
SHA1e65ac733a862bf175e79044b477710baf11ebd2a
SHA256216b7e0fa665a7473e9a4447ad7c0b96f6e072a41ec5d30b1a1badab10732c56
SHA51204ae7afe3daa84d8487a17e02e70cf4dd3d86de1baed6af698d3984d8103aa4ac2170d0843eb49d2968d420adf01d8d2ec9e984f365aedd972e8fd75bc8eed53
-
Filesize
781KB
MD5f248ed9594dcdf079d745ebcdf1ec4f5
SHA110eee739c2d5d251d3c6fa74c65fe1905080a09e
SHA2568051682fd7ca0d5c0e243fdb4a3256a1d3094a983b4f6c28c5d86a47ebe26287
SHA5125911ab026bbd1fd7e28af13c6dbf947934db27b636dfbdf196021eca072b4852095234554a7d8a04d96f198c9f89f865f3c826e16c22198aa263d6755bb3ead7
-
Filesize
1.1MB
MD542f39a5029974af53155dd6297a10b5a
SHA103b546da8c9699af2e23a0e540e82c1a004b1745
SHA25645607adfcb8b48a1f8536bc41d3230c0d422ff5e77fdcf95d89587ad6ad0ac67
SHA5129c245f18384d4db8a787c20dc1a31083423347e1053a4b94e71f59f60d9924378f5b2ee015facf615ad1e661944923ab9835b974ae0112fdce60fb0caa8d5230
-
Filesize
1.5MB
MD586e6e494ab3a76df0957bd1d2dd513c2
SHA1b180f21795200b4175018bc3744a42f92925d68b
SHA256cb573ac66ddc8dddb6177e76db6332fbe69bdcffcfcbe7e000c3c6cb4c6695c7
SHA512ebba93a847633e801284035d2ee77d979e83b973eb1da5235da32f338609d33319c4097efce843bad35fb08f8196bb788534e425a87baa22ef950441e2ad747f
-
Filesize
1.2MB
MD5d64b48e82a78f7ca1fee9821621fe79f
SHA144ed07374dc5e8c51b5dc63945d9cacaa76d825a
SHA2562d4579403b419a1337b79e5b8e92160a975172344283baea0d3c30e1ed21edf0
SHA512354acddb3fc66d26ccf2f9826b0777f99abddffcd89e6e6f3c1710924791f5ef96e8b8d275d7b7338d527e188086803a775e38124e3b640b345e90d13559524b
-
Filesize
582KB
MD53c8eb6c15bb879d168fcf88339260775
SHA1419c9a399f3e4b6c6d05c5a87c261f31885cf8ef
SHA256f60b61a53fe6d8ee8ee41213c760c5ea81378f67bf7fd1d3ef727477c0d71027
SHA51242ea2fff09672a3cfe173e9d9ef0190c216c38ab58636ebe5f8ec40ad80abc033fe31e663617083ef783c6de82018a5ea444d429b4a9d339a3e404273b0d41e8
-
Filesize
840KB
MD574cf5943f2f54f055dd022adca407e41
SHA1991e62eb0271efbc6d6753e4978533014b4262d9
SHA256acd4a6fe367a0d1493465f95ff4e6b1f3e9b91bb36baed6d72cf971fbd02fafb
SHA5124b859ef1c6c6c566adf6959b992d0c456cb823179d370ccff8233819941275486ad89d0e92a7134a53305ff536df22537daacde77f8d11811153b28d8ce05a1b
-
Filesize
4.6MB
MD5325843e0126e3cae074ac52dcd2fa272
SHA11d84b7ea32fe0c4e9c79210c72c94acfd84cb530
SHA25689d72404d3fb827299c0b6f631444ca840d370478a28a734edaffd168af80f1e
SHA5120a2062c1ca77a61eda6dda1f57ab1a8d0f069222ed59704dbfc2f7f91a42eae1d83a69fc46a144c6d448b78ab2f705db374017711fcfc8ff5476bae4c841ca84
-
Filesize
910KB
MD525038a3b6f49b2be50e0c985348b0e1c
SHA1447b542830e611a7f593dea0b4f4a84fb686823b
SHA2567bc108ecab1e6c7fb8c9049958f8608ea6dc47ceaea54eb6c80b6cf430cde9d2
SHA5123977282d116fe3d779b8fd0b06023ea8d4973637d8afa5423f7ca7dcb9da037b68a5c9734843d697cb687166eba08fd91a25efeb07f64db9af1af6a4e4f24508
-
Filesize
24.0MB
MD5327c073abf2fb18b4a90e75226b7cc1a
SHA105ae2a8b24336c0508b7a3a075e869c9420d7a9a
SHA2564e24b1c572feb9361430847233d543da381bcbaf9d43d15d75bd74aed9900f3b
SHA51277cda1519aa663e27429363f31a79d704ebf26945ad1ea28c7adae735f9d0e8eae4e7fdeb6162d1f90f1481385314a00f389b44ba027c6bff4719975abf7c665
-
Filesize
2.7MB
MD5e4d79f727f2e2287d3f1e54daa5c97f9
SHA156a29c2c17df8414bda7ca7fd6c2ec510e6371cd
SHA256d86c0c970629cff52ef617b5c63fe6b503bc179f30e7808158e748fee9d85927
SHA512a4e321d28b4efb1be6bb2a5c0d404174b33eecc28dd2013ea583ca93ca390b71541db753eac8176f2fc18fb99b40eed7d94d8f8f01effd24dffc80f49ae9d749
-
Filesize
1.1MB
MD5d92695843b950ebebad858cb427e5abe
SHA1a32776340c68384f098342382e9d9f6da031a195
SHA256e25737c266a391fb082891567152ca86b19469336a2fb1293d1c087606b28f4e
SHA51209dbdd1bb68283ed7d690d71be3b6a2b20bbdbe0bcd261a0543e1b40a5681f1487fef9993d81fa27ae9b1039077a320f5c5ea4c3e18278aa920a3eb14b0333e1
-
Filesize
805KB
MD59c0557c9b2dfac168617a69f6aa966c4
SHA105931e6db7bf123fe0436555e6fc223e3993d4b0
SHA256f950d50936739a3f3b242e8cbe5fbba11c5c21a3180262a3b16bc35b855b3ba7
SHA5126c907a348c3611a5555cb012444cccc15dd0cad607d454e415681c17fc1de287511b9994b64223c9e899f256a04b3db7d111b37e8987a75e5c059a0ee3c3e8b7
-
Filesize
656KB
MD59dc3414faac6280f5c133eb1be832a2c
SHA17e0e402f61fe76314f616dba9b470adfc47b648f
SHA2560f532f65f131c3e567bf85b7f6b83a3921708cec6cfc286a9c259b3667bc0763
SHA51242acc3eb7e3868112286f03ec0cba74b1cd3161a7a6567502beb384cd37073fb3e952a285297017ee70ddd5cfdfd6f509d3881690c1e9206106a3ab220f4d82b
-
Filesize
4.8MB
MD5d9f836bcf3696987d21c35413f738274
SHA1add511d0e2b73582906c2ea243b7e6036bb3eaba
SHA2562b38a5afccf17e9da5b7f6f9074a82e1533d77dac00b65c31b90073930e458b5
SHA512d37a2212d1f7a94656d526eca5d3f1f33bcd21bbaa7504ebc50bca50960b04ad0d9f385b41df09ab78d0b2aea9ee751846f077dde4ff80fa2ac24ab8813c16b1
-
Filesize
2.2MB
MD50b72327bd8d05e9dfe8f2332fad3d522
SHA151b1661eae048b528d7b55f98bf76a3c7b79ae75
SHA256791766abc26431d5fa6528ecbee92fce7d43ac0a53c7c418bbdc18f06faabd4a
SHA512b2823db4adae83f2164d4361073ca5cfa7f34ce6ae3a64ed6248638725ec84b52c4cf979039223613bb61079ce371ddabfa5a0a156e7c2050e9a7cbea1454523
-
Filesize
2.1MB
MD59ce8e578014c87e4fcf1f008bb1b0fda
SHA10457c5a7d0235cb7a43102c6478c5e6cef812201
SHA256a8fce78fb907f6070ee133e15a0ca6eaa7f329ae35e7d00422412245c1305d0c
SHA51211c91487e29a738fcf92bfff122c2a578b85d80073519449bcb09462a56872d18ed278f3bfb337affddd72fa56be8c9cdad841f8b7e1125bb5d8953bc247f299
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD5f4329d28354f519f70167598f20caf31
SHA1683dc078156c3d86b0524afdb7cd0fdc2ea1c997
SHA256b401b133609a97271c975077560ffafc7eed57003a49c443ce424d6171517a07
SHA512a4238208e7ff44093f9b3ef87760b57bedf3f59db867ac89196f22c4c35d9823471da78f36fc8282023dca012d8b1472c9de8dc81a8ef737ac3c450240534156
-
Filesize
696KB
MD58b9628da3c9fa0b80bf14d1e5bfd5425
SHA1f6c44d52ce5b3efb8d857ddaf067a9e00a87b4e2
SHA256e15b6c0cc413c3d9e75accf7e305eef7a31b513c9e7a554a0c1307ef2e415b65
SHA5128d56137e80fd8641ca810db22be6b68478692e98d713348b1f11a5058f18d73682bf94cbb0bb3344c5d3181f8445915727c99d3c2e467c3f3b8f41b6ed74e1ca
-
Filesize
40B
MD599cc49358cfa3628888247c84b312722
SHA172df90d4341e204b5d695a65f8f0575d75d6d342
SHA256570055b300595d9bee19cd486aec73f2e432043cc1a510b5075bc55da6b32757
SHA5121b3f0129c396f2e582b6e1316e622f9faf71776e5878c95e71a961e4851f9aa90b651f0e3c3d406602c79f377776df5c8353578f44673359088ba16998fd614d
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD5584fec8ba309fc50b9e653e1d30d30fb
SHA120290c3b9f5c7112c4919f728e18affc220a138b
SHA256edf0022640f95d89ab22621d1124eea0292395536b40dae899a0759018ed2240
SHA512750cf50a1e702bb16a437b39121e419475db7cae6e0d11ee073e1412928e4ef7ab9e8e799fe564d316036ff0dda57d2d59e283955e4be7c2ef3d25dedc2905e5
-
Filesize
371B
MD523032e6d5ff19285d2c9b29580789cb7
SHA18f74abaa52eacb674b327be83f64f5bff60ad603
SHA2567ad25cb4f98aea36a99411b1e4415cf6e8ad5a6147a499666e602b67f8d8b7f0
SHA51244b5726f5a410be02cfe35cf01e02b52f4497a5c28f07a1ec8a63327a1c16964405dfced2f42cba17ece0ae1eac58e90533f01fddc5ae0ec6b43850d13cb048d
-
Filesize
5KB
MD5219848934c7bc5d5c2dd693c05f45ee1
SHA183d4c1dc2a568f898bb0f1a4d1355846b15b47bd
SHA2563aa3f7f7751450254bf58b2606348aaf63705847da8b01c3b818fa0587102c45
SHA5126093671348411630139ca3de0c67eecbaa1e86d403becc23cb7bb4fa4b2c82b2cb3fe0640b3b4b42d5eec8bc7175de2a851c0107c809699b99a8a1b64654c818
-
Filesize
4KB
MD5389bd40470f961d69adc704eb6dfc783
SHA1a7f3504cc61a49d0e3055551280eec7f8585c802
SHA25698fe2ca00d44c10d0e9dc12beb4cbb8ae88b3639460af17c79bec4d543d66b94
SHA5123c09b868daf1e05bd9abf5ebdbf6f9a8373595b3b16add7332c3cbae6d693f457d570ca6c29d36fb9d2792411af1fb747d3bff4a43cdd96ea69dbf2877802cfc
-
Filesize
4KB
MD58315e9745444bf4842c6264b29147817
SHA1366b5bd1e67d986c54cc40257cdf26a4681ec401
SHA2569254c8bd49d70174885270fed159fc69103b4a4b7b50401e9fa425c2113b4620
SHA5124042eacba7fff35d8b1a49f5e01e6726c570abb1069c7c8f287447eb7c6c7230a82a79c7e9a84546dbb6d89ecb5b60c9eab795e68e6aa5c52b7d82bd44d29b1e
-
Filesize
2KB
MD59789813c7b351abcd4b4cc4821874f82
SHA13c3839cb1e6fcbd66f3c6dfc092f3aa49c057c03
SHA256899961eb96b3c34c8a0b0bed8f6e6d81c5979592af5cc0144590b71e394bf7b2
SHA5129c8dce395a863812d3b050b5068e97301309e46ae0c69f6ee0f8539f3dd453d269bfe4865d4afc6a8518e4b85ac49f8901fc937ca19da27a1e5bd178e3774a76
-
Filesize
15KB
MD54194d6ab4034ad5a68eae2941b179828
SHA161d9260bb4511ca1bb5d9d3026487da671870e6d
SHA2563bd5dd4c9f3ebcb9899977c29e593fa134b8c92c525784202d4df6a3231fcd63
SHA512f800e7a056a928ba3c5664f930309a259f5b3fe7aacd830d7c0482c7655eca9a9fc0517bd471e237447834c2542492ab87e0fb82e8c43760a09345235faa9e01
-
Filesize
260KB
MD5cb492611da93ae9f392f6f7ed42bb3fc
SHA1bdfb6c438d8876b59dd22471ce534d178fa3eb86
SHA256aead10e836c78f55dd0ad7eb3e766098a48a135ee9932ec2222d82e2c45bcc6e
SHA5125df400ec36b17a12cf4e8bd241cc4c7dde64f1e593c658cf477fe142c123fc9c06a82c72372ecd13ad8171e21cd27ee246c738e65892f55d9dd4ab03ee34098a
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
7KB
MD5da6e21f45e3f2c8f273e1e4ea4edc817
SHA10578ff7701701ff4f690b59067d173fa2ae5873e
SHA2566f75d1555172d616b34f94e0711e3249114c3f088570a19e981c7301b79265e4
SHA5123cea070981126d06518955739cec546dbd85e7597ba55ac20b604d10e25273ab55433cba31585bd0e8f8e2c972bbf36ad395d099c7f0a7a23590288f1fe58ac4
-
Filesize
8KB
MD54f77bbc6975075394a9d8a42ad713c5b
SHA13862b4f4d42aec8d2c2261e39a7a74f3437154e8
SHA25630b5facb44a6bc3c388f20fbf1b0ce8e3a3db5a5eff84cf59ff0d44723e23183
SHA5126105f066b02494dc71cadda34d9d796565288825e4d2ec9b493cd09a838821656c4fb606815fd791a87fd487b6edaa7f6e2f468c10bdc2c6e3bfb5a7e2ab6310
-
Filesize
12KB
MD5692611ee9f5fa6ff4025ab76ecfad47f
SHA12a35a6dde3a5c2f6c6e59dea96503d10346c51f5
SHA2565bd2f7f14bb15a758bcc0e03be1772acf3bd28e082208006c6da7877c1e9be15
SHA512d7e37bf8074ad897595bbbbac770858f744d6726ac7831e60f94671d3396dfb407137f306487cd37d0d88b8cc35461ffdb57310410f5c6b386681dae7ecedb38
-
Filesize
588KB
MD51a1816feff673e0dd478ec569951178b
SHA1493de1066ec36263fdd1e3ef77a3c483fb7c5f96
SHA256f22559e2d5b91fc08af27804e15f78b644552dd1f63f9b3091904f79229cb482
SHA512edadf28026fd7da51c2a6b50d818d9659b86463637c714c5c5ff11db29e8e97f82fdfbe56052c9802c30bf063fdb97717fe3caecc6b36d24607d33ee7aaa25ce
-
Filesize
1.7MB
MD5a0da5c9e078288fb39bed0b0fe76d8c3
SHA115fb1694d3fb444b378e0b7e9d653df9b3113c2a
SHA2568301197a7f290c189a8f79c39217a14b7ebda15be82ff5cf259cfc3fb2384374
SHA512bb763ae909b2f168a270e82f64479a654d537427a75919f35ac28b0b86325890803aa19356f8175c31cba3949206e23b074a91d7900cc984d0e4639c35e4bf44
-
Filesize
659KB
MD51000bf31cea15585a96478f5b0e8ddd3
SHA167cefddc34d4e4c0e7c9ad6e74fa4e25af9ee2fa
SHA2567a4c25dab510222486c351d686a28b7142ef909f96e8bb5d6f03ea70f4defa37
SHA512c2ecb2602f4c683ceabde44e700cc14af40ca8225ca80f17af859bbc133c52ee42fcc5e771d101517cd0bf09165bc8cfb9e8f6f127ad19e5cb04ae1fb309bf31
-
Filesize
1.2MB
MD558e6692ce6821555052ecade576d9ed1
SHA11fc05dddab4bef91ade904b868b5559bee86f60f
SHA25666ee5580f4fa17e9b88cb79fb13a4491c5fa2e091b751ef3d13d605957a9b51c
SHA5125baebb7e925742df9d401c81c546d3f5b73674332097c783de5c4a10215f82fe867978e037a3bc79e9431c0fdefe80e47f220ef3275a708754297f5ae9c19dc5
-
Filesize
578KB
MD5949ea057e36e4a7dad3f2c658e79582c
SHA189a7fb975f830e160b1545346d2aaf009d211980
SHA2568f84695456135f5f0ec5b2a6e4e8611b0a9d6ff4af69bccb153ebed604dd2713
SHA512f7a4cc25938e0d984b0cd45e4f016c916135d0219e4dfa7382725116b92460a1cb450c884f70ff20876e66c2ad9766623769bded0d63a8c88e4e42f33116a6ea
-
Filesize
940KB
MD5ec855f66842c14818e169584c401179b
SHA16bd3305b015f861bc24457fe25b3af92dfcd5a02
SHA256406f7f03ecb63ea781ad1cc524dc16ff9587938db3426fc0fce3954e1bfff4a4
SHA51229ab8fa58eb963bd93c9688e55028eca233b6219cf616216433718bd541eb736fb9d75378f9d9520905700b0b6716517f333389b7c53ab0fce5b9b670641c966
-
Filesize
671KB
MD501a7237888df8103f19427bdf4f9eac3
SHA19394d1a9d2ffcc94cd01ae83f65efcce902c9852
SHA2562eae546fd01fa27c9a50c950cc12915432814083f7cac253c4ee4a6149f5603d
SHA5127548ec8e5574f6cbfd9d03b4a3b3b5e9ba2ff84a81eada33037239f46c2642dd3bbe1c727e50ced19799b9cd6fad09c2ba5989dec34192509f335e83ddc8a94f
-
Filesize
1.4MB
MD5bc610c3571a963635f42addbe4d36c90
SHA15bf00034726192b6f153660cfd267df1e5587011
SHA2565a3d50758f444f12ca7e8e346a2786412b08d611e98665f5dcd5a97bb28ca90d
SHA512ce7f81877a34c6c1fc0bc2f658c27e4b0b94f09011e2d4521123d433fbfba9951e45f4da4ac57dec18d5534a7949b7c34ccfec1242553d7fe49c67742a998a0b
-
Filesize
1.8MB
MD52075558869066d4a8959783df4dc4352
SHA11076498d5e9abf048fb3b66ccf4c60b5a0d6f157
SHA256ad396fd775056453def4767fd5db8097e4230681286df110643e32289355a99d
SHA512df6c96e706948e8e3adf711afed941dc1569b5095374ae9eee4914a5eb69e28816e94e0b5e3da8a3db1facf1f421a9329f8c7428644bb8a5c4933ab2a75c2b5f
-
Filesize
1.4MB
MD5cd4265bac7c3bf8bfba468c226a744ff
SHA17fecda0ea69002c96fa434a6f99e8f4d12513e10
SHA2560febf3c8922111df031892948b87eba9a1d86def6eba46190c027cf43d284fca
SHA512d960ea9c299f166b61ec84a9fa799bfdab3048ed2e138e4c41097d080bad6cd27fbba956c640b73cda70bae0f86d3994e7bb72ce2567c1101fc7098c9ea8df73
-
Filesize
885KB
MD5384b0b47e3c5cb5500dd297f087facc1
SHA11a7d073afbcf764e7cbc3e7b3380bea2b1fafc1e
SHA2568f74377f5a477bdb423a83adb25692e7bb7a2a0efcf9368f50016be2068da4d2
SHA51293d07c86b9d51b1bc348acd10c524435346f66216337c7d5dd759ab8ffea87973f04e3e03eb3be485d888c881abf668f8b629ecb0233504c439db4af91c0db75
-
Filesize
2.0MB
MD511b566ad9caa9cf88c763ecf89585dfb
SHA10d8705ac0f1361243bad99edd54037106df3b391
SHA25631deeddd26327e93b8fd32904684e27cbdb996269b863792a752747ea0bb2b2b
SHA512470b31a606965c2d688e13bbaa5559154ee5d401c8666ea283f52f434544d0764c5d8f7c2b5a3146a003ab7df6a873c01e73c1dc707e2652bfa0887f77091fd3
-
Filesize
661KB
MD5ab926501235361b6f069552c9f366c01
SHA1b1cb6c2dcd29d892ded814f0c49e835eacc27464
SHA2566c5dda75bd71387c746be6222dd06959054cc6d145b375d68be89106d28e5424
SHA512c8e37528fd831fa5ac98037caf90a046a53ae249e29ed80cc8a21bd1f9ff1a10decc0eef5ad707e3e883683e7c4bc6be42a5e5cded47f1ddac6e0ca58e467044
-
Filesize
712KB
MD5e7f2c6e4bfa9077a09e71ee339071f56
SHA1c0d12ee0e7d485e891c97db459194961e57a082e
SHA256956eb8b90cfb5d3b92e9f256e24a4791c9a19ae683b27067fc4af8be395087b5
SHA512807a47f6a953e0e187109ef9222e777d1895815ac139c9eeb32fb62e1b6acb8fa021f1e42e2d67963f00d811672d9123b4f9b1950639cb6296eb0e14c8e836e5
-
Filesize
584KB
MD5cb687b0e6a515f52ae677e9cf5b8c444
SHA1fbad7090f6bc74d2a7b3f2f75877b3d703a58d2a
SHA256a1f6523d8da1ed912847f52e941fa5d3ab8b4d15d276da8025f2af83db310d90
SHA5124d4912e03c36d0046d5471448c4c5a1af31f57b60804c433bd5c41e2247f5e7edd16072513028930a30d2a72a946911fc2103efea0d4d96ff838d07fe536cfed
-
Filesize
1.3MB
MD5b740b69ecab43de9637fb1cf599f4595
SHA12f67106523102b9a6194fe12be10e24c824cef36
SHA25693c94d1bce95eef4d67336c700f1743f6ec67b7352b3bf518c27bc8bf6b0f3bb
SHA5120e1a3bd01b53acde267ad4e7b31f9bf48fd2fc362ddb668b921e5491baa385fc9958d0b8ac940ea36b3826bfc67b644a254c57374a5e097114381a4c88dc0988
-
Filesize
772KB
MD50902ece5f3e7d12ace86806ff8478492
SHA133371a6c1ff2b7ed354eecefc95fbc89b296fc06
SHA256f2035ed089951e5c76e775a90d3f13fb6d9a452aa5c58c364b689690658ff3c1
SHA51235a758e8fc980e46503bdfdf2c5ffdded08fad60f9edb30f04e13aed018f651c3e8aebbd6215a1aaf2cf621d8e6e6c18299c0beecc67cf2b85c67985733de3d5
-
Filesize
2.1MB
MD543329761c19dac3daa8b1caff0254f0e
SHA106d24143744a6e92f12084cd445a9c409125fcbb
SHA256da1343c54507f4132bf2a7a1b7fd84cc638c63e0ffc683533b53ce685cf3d38c
SHA5129be8134c130b43f2875faef2226c163e16588c64b0374f960083cf206eca6d48ee0d0f1a94eb8d7e43fbd1005777e290cd8c4425719f0c4d089b458c597301d1
-
Filesize
40B
MD5a57e00e7b64144dba402c6db0f7ad149
SHA151a33fa8f038784838ba3a6c0fd16cfccf49de55
SHA25626345f4eaae9348eb9da6a4c6101dc723a2cd58c0f15d93f5c1ee628b6957fd2
SHA512a9d626fbae4b1da4d41e75520ebb2eee98cd2a4b9dfdf5f264e574b61f1acbf34c0bca6b1d3e1212ce37c8935a50817c47539b03030e1665a7dcc3a18dffa739
-
Filesize
1.3MB
MD5d6fa0e89590e09711fe190213cb5362c
SHA1ea99a3b9f1e0f4a0a4ff30864b619424e214d72a
SHA2566f647f3e2cbec40208c184445e60894c098702d14050c18e491377ae14162750
SHA512c33febf6d263b307bf0e288ea11b3e85e0211079c40462a690d140f4a2babf7e0f0ed19b6b631b7d7ea7f167e42ad506b4716f57a14fda2e7ee1dd6a1adcf598
-
Filesize
877KB
MD5e74a56f2b86ff2917d3b369b8c42cd64
SHA1d35812704a918e80e073ab62df2fdfff4bb2e5d9
SHA25652c8fcba7b00466578020e92cb759b1f927ea24946b2f1c9a8fd9e76a63303ec
SHA5121eddadd79d9ebd63a8cf5ef582af503677624ac5a191b314c98a9e875370c2cec4477550e549552c0d051cb6effff6278aa645e3fe109b83f2f54fd87a091bdd
-
Filesize
635KB
MD5d5376d475fa57b37b25ed6f4c5613106
SHA183b133191bc6d5c11de056137b2ba93d525f349e
SHA25655d7d8f042656b7d7795ec314b7c69148614c8fff5a8ec2e14dbe6b8927f3f0a
SHA512750985362eb546d8a1cc9158aeed92684882d7f15d5cd404452448634f09e240c1594b0fa8d191fb69faed114767f8b56ae68e07dd5ae9677eeb30e0e605f0b6
-
Filesize
5.6MB
MD5a6d2fdf61a421e099c6577a1f3e6b0ef
SHA1dbccdd095caf6965a5509bc2929c3256f486827c
SHA256b58b0ccd98230dc4bcb0667c70d4376887fc1f6edb342634653f24a3918e3ed7
SHA51212128044f47e1b6c2a243bbe3072ad0169ac749b641d071a2e2624ea4f21bb6379c0f26bc10c4e21be00f06e87c63a4cff98942053f00b438e97bc1d160c4002
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e