Analysis
-
max time kernel
156s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 17:56
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe
-
Size
5.5MB
-
MD5
bd102a580ca351b70cc7c6ea03a156f3
-
SHA1
641e34e9330ae76ab3cf4902c86caf758bd950c5
-
SHA256
b09a12c1dd4053b4d49d33bfb5ba49dcd288193933a5376b515f828cdbb12e85
-
SHA512
4916ad6ec88e012d597fcbaac9b9d979119924b35e6ac1a99edd3eb23de8ad56287dcedd1e2a852fea00a8b975e656de8041a7e8233af31b23ce3628bb921612
-
SSDEEP
49152:sEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfZ:aAI5pAdVJn9tbnR1VgBVmJ8t4C7
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 2312 alg.exe 4848 DiagnosticsHub.StandardCollector.Service.exe 4800 fxssvc.exe 3988 elevation_service.exe 4860 elevation_service.exe 1132 maintenanceservice.exe 388 msdtc.exe 1652 OSE.EXE 236 PerceptionSimulationService.exe 840 perfhost.exe 1320 locator.exe 3120 SensorDataService.exe 5008 snmptrap.exe 5204 spectrum.exe 5332 ssh-agent.exe 5456 TieringEngineService.exe 5596 AgentService.exe 5756 vds.exe 5848 vssvc.exe 5964 wbengine.exe 6076 WmiApSrv.exe 5168 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
alg.exe2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exemsdtc.exe2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exedescription ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\5bb03ad2a644d7f.bin alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exealg.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_124281\javaws.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{13D35E3E-D723-4ADE-A208-2AB0A3B02FDA}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\FindExpand.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exemsdtc.exealg.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exefxssvc.exeSearchFilterHost.exechrome.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b532f10e1589da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000355adc101589da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f502e20f1589da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d11033101589da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc393a101589da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133569862308512497" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003544ad121589da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed167c111589da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d5077111589da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c548c60e1589da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
chrome.exe2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exechrome.exepid Process 4596 chrome.exe 4596 chrome.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 2336 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 6000 chrome.exe 6000 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 664 664 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid Process 4596 chrome.exe 4596 chrome.exe 4596 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exechrome.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid Process Token: SeTakeOwnershipPrivilege 4320 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe Token: SeShutdownPrivilege 4596 chrome.exe Token: SeCreatePagefilePrivilege 4596 chrome.exe Token: SeAuditPrivilege 4800 fxssvc.exe Token: SeShutdownPrivilege 4596 chrome.exe Token: SeCreatePagefilePrivilege 4596 chrome.exe Token: SeShutdownPrivilege 4596 chrome.exe Token: SeCreatePagefilePrivilege 4596 chrome.exe Token: SeShutdownPrivilege 4596 chrome.exe Token: SeCreatePagefilePrivilege 4596 chrome.exe Token: SeShutdownPrivilege 4596 chrome.exe Token: SeCreatePagefilePrivilege 4596 chrome.exe Token: SeShutdownPrivilege 4596 chrome.exe Token: SeCreatePagefilePrivilege 4596 chrome.exe Token: SeShutdownPrivilege 4596 chrome.exe Token: SeCreatePagefilePrivilege 4596 chrome.exe Token: SeShutdownPrivilege 4596 chrome.exe Token: SeCreatePagefilePrivilege 4596 chrome.exe Token: SeShutdownPrivilege 4596 chrome.exe Token: SeCreatePagefilePrivilege 4596 chrome.exe Token: SeRestorePrivilege 5456 TieringEngineService.exe Token: SeManageVolumePrivilege 5456 TieringEngineService.exe Token: SeShutdownPrivilege 4596 chrome.exe Token: SeCreatePagefilePrivilege 4596 chrome.exe Token: SeAssignPrimaryTokenPrivilege 5596 AgentService.exe Token: SeShutdownPrivilege 4596 chrome.exe Token: SeCreatePagefilePrivilege 4596 chrome.exe Token: SeBackupPrivilege 5848 vssvc.exe Token: SeRestorePrivilege 5848 vssvc.exe Token: SeAuditPrivilege 5848 vssvc.exe Token: SeShutdownPrivilege 4596 chrome.exe Token: SeCreatePagefilePrivilege 4596 chrome.exe Token: SeBackupPrivilege 5964 wbengine.exe Token: SeRestorePrivilege 5964 wbengine.exe Token: SeSecurityPrivilege 5964 wbengine.exe Token: SeShutdownPrivilege 4596 chrome.exe Token: SeCreatePagefilePrivilege 4596 chrome.exe Token: SeShutdownPrivilege 4596 chrome.exe Token: SeCreatePagefilePrivilege 4596 chrome.exe Token: 33 5168 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5168 SearchIndexer.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
chrome.exepid Process 4596 chrome.exe 4596 chrome.exe 4596 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exechrome.exedescription pid Process procid_target PID 4320 wrote to memory of 2336 4320 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 87 PID 4320 wrote to memory of 2336 4320 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 87 PID 4320 wrote to memory of 4596 4320 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 88 PID 4320 wrote to memory of 4596 4320 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe 88 PID 4596 wrote to memory of 2796 4596 chrome.exe 89 PID 4596 wrote to memory of 2796 4596 chrome.exe 89 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 1156 4596 chrome.exe 94 PID 4596 wrote to memory of 3472 4596 chrome.exe 95 PID 4596 wrote to memory of 3472 4596 chrome.exe 95 PID 4596 wrote to memory of 728 4596 chrome.exe 97 PID 4596 wrote to memory of 728 4596 chrome.exe 97 PID 4596 wrote to memory of 728 4596 chrome.exe 97 PID 4596 wrote to memory of 728 4596 chrome.exe 97 PID 4596 wrote to memory of 728 4596 chrome.exe 97 PID 4596 wrote to memory of 728 4596 chrome.exe 97 PID 4596 wrote to memory of 728 4596 chrome.exe 97 PID 4596 wrote to memory of 728 4596 chrome.exe 97 PID 4596 wrote to memory of 728 4596 chrome.exe 97 PID 4596 wrote to memory of 728 4596 chrome.exe 97 PID 4596 wrote to memory of 728 4596 chrome.exe 97 PID 4596 wrote to memory of 728 4596 chrome.exe 97 PID 4596 wrote to memory of 728 4596 chrome.exe 97 PID 4596 wrote to memory of 728 4596 chrome.exe 97 PID 4596 wrote to memory of 728 4596 chrome.exe 97 PID 4596 wrote to memory of 728 4596 chrome.exe 97 PID 4596 wrote to memory of 728 4596 chrome.exe 97 PID 4596 wrote to memory of 728 4596 chrome.exe 97 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2336
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff2e599758,0x7fff2e599768,0x7fff2e5997783⤵PID:2796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:23⤵PID:1156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:83⤵PID:3472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:83⤵PID:728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3176 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:13⤵PID:3400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3168 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:13⤵PID:4044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4596 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:13⤵PID:372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:83⤵PID:2128
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:83⤵PID:3956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:83⤵PID:3628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:83⤵PID:3784
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:4492
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff716977688,0x7ff716977698,0x7ff7169776a84⤵PID:2464
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵PID:1364
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff716977688,0x7ff716977698,0x7ff7169776a85⤵PID:2808
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:83⤵PID:4552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:6000
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2312
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4848
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:628
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1132
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4800
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3988
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4860
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1132
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:388
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1652
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:236
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:840
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1320
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3120
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5008
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5204
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5392
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5456
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5596
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5756
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5848
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5964
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:6076
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5168 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5340
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 908 916 924 8192 920 9042⤵
- Modifies data under HKEY_USERS
PID:5636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5fd0bd541eba501fb0d32eb775b929a06
SHA1cb9332d4a451a8a2fe5fd3f552014649fe4232c1
SHA256ba3210b5201790d71475051db081fb27e9c63289ceedbc47918e3af7178250ff
SHA512bf0adb2bd4d0e85bf319216a0a11cb786838c18c59a27cc5dabaebc0cf56a550d6d91d25dcc5b6b2bb8b211d92747e8afcc2d2d42bba5a075aad444adb4f3f00
-
Filesize
1.4MB
MD591f2ef5bfbf6835630774bb7743425ef
SHA1d6cc06e613d6bb0a9cfa377cd2b6cdb59dbac182
SHA2567c4be35e1c9772b8fa18d6b44160b859a9e0450788c7b13a21e34861a915a812
SHA512963b2220ca9122ab47f4ca6dca4e5375a9b13be25a3c9a733796e29d3859474ea20cf4474a8accd9aecee01492510c12b94d96f8bfcd3cbe9bfdbe877a7c5990
-
Filesize
1.7MB
MD56b3fa34d5b22c3418c0cd32d704f3e26
SHA1be75b8df9212eb7ebe81011633d4605cc809f23d
SHA256724e002c2a984a0c42585bed174464492a2014f010e53f5efcca494a8e7b7b05
SHA512aa3a50c3633ea9e8ba5cf49a84d9114348be278a984ee6306b6747db7125fa9337ec490342fd33778979d4e69beb3d60c4f4e9d8ba0a97a9c861518646b18374
-
Filesize
1.5MB
MD52daf149f33f2ba2972fe1f8d039a0df0
SHA12c77575ffbdf6a49482d17d63de1df97a93cda11
SHA25683532591d57f78a95d558d1874b5bcb7eb4f79cc1c6f4a8b57110c6c79150695
SHA51278d257286b4c365ee316e78d8a231add58e928bec94516e3c817179922b33ab146dd435dcd25aa1ad6454a3f31d7e85713cf422046762bf332b6c02e3e086948
-
Filesize
1.2MB
MD510f5f9a257cfde0017bdde88948ff39b
SHA1b92dd01b9bca91657355d2828a8798b97f1ae613
SHA2560e64f8252cbac6e13704ef8824299b8e60c252498b48ac0414a5a9907cf3ed86
SHA512d7391bfa11a8603cdb05372581c900b07fbe963ba3d581b3b8cfa6d0a696ae45dd6768e3ec8503336963e518ca41c67e8b6f7dee520d4d787ac5e8178141e85c
-
Filesize
1.2MB
MD54e8b7995a8e212c53817d87cc372ade1
SHA1d27617f1fe93ada940d83c40c726abe09837b83c
SHA25654572db295c6ce84c8c984774ad8d999a778140a458caad5976f6c618980635c
SHA512794e5e6d3f315aa985f649504f1d006cb6f436edf7d9ea45b3ca258c79e0e4a87584570bdee3af7aa20bda6dbce712e09bc2ea4f990c44fea900730f1e0a4cd1
-
Filesize
1.4MB
MD560adfcf92fc545bc8b292270ea2633c6
SHA1e7515700f08b8d2ae11eda1a536dde0a95ee8133
SHA2561069a6a5163a05c839246e31bb4fbab1cfaf89355211096a90fe6dba5815c7f3
SHA51272a08c8f2fdfef9b8a2c55cd7e3043ea9786025f562b67a9f63ca779b2a99c9ccc8d7f2764c49373a763fceb24b6cfa88a402121377297b3c0d209706f1847b7
-
Filesize
4.6MB
MD53d29f6e5968476aee431d50dda622fab
SHA1e7286d56d9368584ff5a75f676e4c0f8b617319f
SHA256baecd021917d6d4c0728db00c707ad13a5bae3eb36bdecd4b46110f1b2d9bff0
SHA5120fd439f776f7d72623a613e4217d7a00f8ba67a9e384edd25602c215e2cdb6d4e4580239ddf02f090ff15d157fca2e3b7bc15c78abbfc03e9aeffc123ed45c23
-
Filesize
1.5MB
MD582e34b87dbe32994edefb43363c53deb
SHA131e9d9ddaafc847d5c8b6b3903bd9ae3a38e5330
SHA256a1fee4e9930dfac1fecd990fb24dcecb39b16a402c2788baa681a5efd6444217
SHA51226a2515d73658a4b3b89c99442b69ece6decbf32c8660b764d181b9d735c2998ee097b25d01507520238b10c38747cd7faa8d54502155d969ce98aedfd1ea06d
-
Filesize
24.0MB
MD5194b83c33121f907cc36a9d000a8bed2
SHA13e450315c0445240de5fb02462778f61315f8065
SHA2567471a167e04a3f16ab28507c7b2f2e05b2266ee23d23514340d403d884377159
SHA512701ccada604e869dca8b1392cf0c9e5b6a309201ecbcad8d1b12359de0d0347214e7ff645a55689ceb9cac4dbbf413e789043082a75fc82ee0856e3aeeb807d4
-
Filesize
2.7MB
MD52fea14b1b0a28807e6e2838a76fc42e0
SHA15119a191833e717b0b93610e13703dc32b357414
SHA2565312f4c208199ca5cdea8decb50ecfe9a627a940419f94bc32fcdf0b1ce56548
SHA51275940dc82e9f976211df90a17a877ec5222961e3cd748bd569ee3565a7a76435064ca331f621bfe237809c42cbc70784a7f3580bf32690b37e822522c374d476
-
Filesize
1.1MB
MD51b77cf4c0597eeb9c03ab7d0d3275f76
SHA1babfc88e1b0fe7a2d25b043629f43333e76979e7
SHA256347fac8aa73b9c4bfbf997cb8a819a8e649df07450a2a6010be11a1e41c98c0d
SHA51227b0b6c326764317cc9f8c0791b4b83c5db6af71d79a748df7926412e55a6c31698bd37ba1f62c1b106bc1de25d5066354611a5621054463ef4c22e80d0dc52c
-
Filesize
1.4MB
MD53b85682be2f8720d48bed76e1d5feb22
SHA16d76817f71dc218dd053720fa737db9efacf395e
SHA2562ac57c94f5a9d090d49472ec731b2cd264c3bd4c01dabe91709b388497e27410
SHA5123519385a47501fe03987d744bd758e415a998a4f1dfca86d10e6eb7268f787e301d3a6f16819635cfbe62a4a4da408d8d0c1994ad16a7f8a695d5459526ebf23
-
Filesize
1.3MB
MD55b65264d0675507a4bf51eb202e03995
SHA11af5bd66be2865436f5b0e9bd0c02c29c1c50d23
SHA2569c682715a36c400188f14f0cee5b69d8785ede70b2aee7f49752b364b84baf2c
SHA512a03b79bd79bc98e2c9e1ad0bea6abd32043b121a7739b80bb11705ad7742abae9ae78ea52a376570ee870dcd6767385ff9c52a8b5db0f15b6b1b1ff12fbf309c
-
Filesize
4.8MB
MD5803d5a1d08d377c274dd3d3853ec8194
SHA13efc8360693de14f3ee57244a7daddc581b19a85
SHA2561b64a7c8aa54894f6790e1b9f96eb28283407f20e9af2b254617272c2ba1735d
SHA512d026add4a471ba4dcccaf7ff4ae7b37817f65ba8bf22356b70a167fe7ffc2dde9b2d63d7cc6c241536919626f5da078e00646b24eb0e3bce66504fc766e5348f
-
Filesize
2.2MB
MD518c47151b2fda60ee8ff6c91c0c7a0f2
SHA1faa813fa3ad0e9e6c5c88ca39acb3036b2cbb6da
SHA256e5a0ae67becf98806b1ed82850f95b0e1ece287c07c29cd8db3672ae74c16140
SHA5127b75d519bf583b8c67c96b053267cf5c61f00d5dd025fb50b54eca8cf616fba6784690d35c43be10c90fe5bcc425ce949ace472e88579b0c219868f7a338256a
-
Filesize
2.1MB
MD5e37c8d96afb9fc32fffd9e8c5b23ef0f
SHA1f964272bdb6cb9804056d3cda9bd918cb5df5d7e
SHA256d639c63d04ac077cd55797721fcf4f29f05ccf9af4b9b8bd13f82d1b23fb08b4
SHA512ad9d1c9269bf5e2cbc6140db0800ae342bd9c721bf90216272287aece1a5c4c768dd5f38ef6395aee281be821249a5f80dd503a9655db0d17f46922b8f758ac2
-
Filesize
1.8MB
MD56106cc789a1ddc2adbce091df21740d8
SHA1bf18e9a73a1509b9c3b751920c7f5f04f787ec42
SHA256a17a42c80423fb9c12eee5b20429a2a6d5e00ebf549c83b657cad368e2d24f0d
SHA512122c527e31e2da6bfc91e7089dd5efea15edf785527295b00765ab6ecf70aebec9e2c222e803ce4a2badc051fd607ed90b8482f56410bfd4a31719899fe7cc36
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD52bbfe5cab991a87f1d710d4e5c85796a
SHA12be8ade6f1f5500a525f18d3a45c09ec1145d750
SHA25617f2d7aaabcb505ac0bd1fbbab4a9df09d812e087d75d1ced9aaf63dcd78ed60
SHA51290d078650a8946e86717828ff79c0a3608b4b65a20a40f93bdfdba51f680bf4e353997d5c7677aef3f2ddb5d9372bace577af5a3e91b65e7d2cfdff193d050b3
-
Filesize
1.3MB
MD5fcecf57d3d4cd49faa1c1654da8ff0c8
SHA17ea430319b2e4d4691215e912a13896ec19a19f4
SHA256df432a8d7c03f14813ded3015482c3c4069bb245cbe9ad2a8bcb620fd8100539
SHA512192ac54aef6417cdfc84a49185de50e812734c15bebc5b1a6fc381b5dbf08c14708b830a2769b5139a8126fb01e2494d55f461ebed8b1bc7885ed52148530e94
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
40B
MD5b605879e08d2c37a89e0a7cf9cebb008
SHA1547075286a6e5e6a304912cef29adf2a5379458d
SHA2562a7688cdba662e4017878b44e559b7bf4889f2b32ff1c6ed70e020a2738e662a
SHA512f18fb8e2df93b18cb2359c651e1dbbaf73225ff16912cec7dda24ef3e82d921690aa0690ca493375536159d8aa9ab660e45e2abe4cdbeaaa368f6f69bc090fe0
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD563661c4e5302388dc76d0ae91f9d8323
SHA129e8247d3dd856a5f25071acfe18210cc3fd15d2
SHA2567f470303f952e248ed892301c6e592893ac3ca4d73bce863c1cd74ff3b16cbae
SHA5121628af306b7c3fe5a0570be8c321150ed371cd71626b31d6f01d3c66045c4352319f1758cd034e9df40cb480e9234189596a0dd088dc50295e51827367290edb
-
Filesize
371B
MD558fe4ad02115421621ebce35417eccd9
SHA116ad03a0b0376e3d1036079f9b58da9b6dedbb30
SHA25622edfe9f9d1018bb27baaf881418832c6c1ab5283ae58ac7fac43eb22e9f4923
SHA512d8ad022aaedc9427dcad08c5ec2a64f23456c37b91ce1c14c120cbfe16323e59a76afb419641d172640dd4cc447d6eac4d80bcbc6182b8f4e546323aac6e5998
-
Filesize
4KB
MD53276277cc4d05a6942e701bd5a434d51
SHA13d9181d715669e9f1b2dc3806e9d0cc937be9068
SHA256191217edc262514f19fe3fd87fa2429cdf51d34c4130a9392af4b39ae99869db
SHA512bc66d1fe2dcf640187ad0a68d497ff374710df40822c523e3736b2f3f6683d3d600d600b72fee59a3be8d5b22bb05580e2dea0bea40c9cec852c7676796b821c
-
Filesize
4KB
MD528460536bc0f62a291685d86234338cf
SHA16bc4a9c6a83b129a722dc5dd2289011ef50d179c
SHA256ffad73395d38777f9ed0ff4dbced0fb171647205e205f66144cf5c67e234b51f
SHA512fa6e69a0cd0b5910c9a54b89ec88909ea150899002ec867971ec77e66dd67879ba73cdf0fd5bd414e6d93e7bfdf00ba59accd180803788195e1feaf385fd7d20
-
Filesize
5KB
MD561d62558438ede7f331006d34e03811b
SHA1a92136c0536b60b9b0295188d74efad47b341da7
SHA256339f06c205888f7134889bec5087f44338402c9f58b2602162b5e6ce04d7fc54
SHA5127168c4913abcadb8acdf223bccf0f39e8c498f1b24ddf125b05255fa718b596975de8ff904dda811cadd78f7c04717376ecf99b5111615545ef75e6d6dc117e8
-
Filesize
2KB
MD5ef3aac392c0d75f931c89cbb67985e0f
SHA1ce61a9a0890645f7551e4188f0dc09b324f56b63
SHA256474bd435e067162d7364e95374e0fc4f6be9ea3202017cdb1eb05a7876f254ec
SHA51222f026e8146699fdd24911bff6f5cfc0ea1cc131bd378e973e8fca5fc479c8eda9764b7a3a1acd9bbcf6f6cfab8763c04fe6c9a56e1b8e9ffd6316ed11c34703
-
Filesize
15KB
MD5fb9702eb916b957cbfdb38e281d99358
SHA1da1121c1efff024754ea3056574a46ef94973304
SHA25602e72f7b6a350f2bc411db4ad199faa1ca1f54cd3fe59e19b0ae82c4ed07e104
SHA5127c60540627cf906007af28960a9b830535c5abead53997a6e6fa0fc22f3ff49d6158fd5840cbda50c7a01cd5c634b01d788c9db25e6109ea4f216a9802544970
-
Filesize
260KB
MD56d8964d92187bf3aec183f806d0d5873
SHA19fa7a8fb813a4e96620458d5e71406bfbed34f72
SHA25676badd1688fdfab7434574f96b42a798f2c3f9c1c60759b94436dd46eba064b0
SHA5123fdd1331ccc83719634a8b597da2d068247d2e1be3043dc482936323e0bb3154d1202c6848ace6007aa2843928e5220831ca1b7143330f898fde39b66a59d4ae
-
Filesize
7KB
MD5643ee415eea6e9253034428146d8497d
SHA1aab4ce792eeedac3e5741a38bfe2b8943511790e
SHA256ab6e6bbfd6e7fc54a09cc8f7689b4d97c1a7f3540e5daee6d2d6e1315c091d1d
SHA512ef715c433ff0ff5c76bf1a5e26a07e9579a12e3ddc1326ec761704ebc35d1f22434339e545d7357add20d41e50de507f82eb469036aba3591e9f9a327471371b
-
Filesize
8KB
MD542a192cc9e49b4c238a379ac993dd318
SHA179bf314b162a0b2a02c9b76d0e419124d11ec945
SHA256faa55389e7110a8e6be510ecf9c6260469bc7e4ebd246fc1ed18ca3d7c41002f
SHA512fb4994327588d0de87dc20316907a2491f572f0c8859fd9a5c20b1c9667ac935a7623560cd10c1bc958a52ad12abb5e638894662947b1fc542998e2627117ab5
-
Filesize
12KB
MD571526bbce90b3b7bc7f10922e8cfa1a4
SHA105b812e41e3428e8c6e3d54c9ade329f2b15a421
SHA25651c7c210d10455b0b9870f0269322f9e5da34bed868bc714d9933cc153aa34c9
SHA51203c9dc6e3b4e52b17b244336031f6c1526091f8b82b008224769dde432a278a8a2a300471d6856d6dafe2c7b02158dbe0da9694145943940e675799ba21f4ca3
-
Filesize
1.2MB
MD508ae5860ecf2045f6f89f7251c6e7440
SHA138abc9b49483d12480f2d741ce5290281c1a2911
SHA2568bbeaf5100ee159d74ac50f6972fe05c7a152db6d16369a425317e747ea90a51
SHA5122311156bfe4b7b400c5b011bcdf82d787fcbee22269d3e5f64d72230d94b8f237617dff6164e7cab7c76ddcae2f4c1b914c829a81a63a9d23c191b0d83c767f8
-
Filesize
1.7MB
MD587745c40b6b378fd6ef6a21d69bc7aeb
SHA176b13d2734b9cd3727dfb5bbeaeaf76afb591e07
SHA2568681d483d666b913dbf19bf365ff0163b9d331eef4cfeea010bfbf1ce455c37a
SHA512207442165d3d92aaf58eba3c9b746631e6327aa9036d901d703ed49c1297e82a2baf2b0a51dc2b3aa85b1ff3f91de392222a8f91cd845c7bf7cbb55b4d9694b2
-
Filesize
1.3MB
MD5c1202524ecbf527e5ea6d4103fa6ae81
SHA1bccd1a4acdb0703afac1096e4cfeee554ff0d6f6
SHA256c7d33d8aeda31a7c145488b3cfea849cab464e98fe8e4d40adcd07927a3c5abc
SHA51239022496f4ef66c7073cc15751c845dbc138ead791947a8f5c4d31ea803f14b7a648691551c0ee37d15c5559c80e4360bd84daa67e9c1a743c56fcbecd73169a
-
Filesize
1.2MB
MD55e6476b1a83b4a6c16dd04357b12b9bd
SHA172d4d10baced2869ad7b46badbc1b0809dd0caa5
SHA2567b8d7c8069640164358b0f3a908acc1b5e884f9f8fa0db800d897933ecf9fa5e
SHA512a821f9d52530ba2cd7588e0e20c3735f1c6b55a9f40a152eb781407412663438ca4a1a8a9166b1178689c39f20f76cd475b3bcbf50d3b415ef475913e4db9ba5
-
Filesize
1.2MB
MD58abeb7425549e9075f5acbcfef3873bf
SHA185e732e6da251c7899047d9b83cca5a82a8a9e84
SHA2562aea71e4634184187893bc7ebbebb2979e611d32f6157e8900eea63dbdaa46c6
SHA512a09350f83b04abedafc50fa3f47b57fa7a655e79c3178dc65efd0ed32bbbc5ef01d58bc7e5b85bb095a2bd525881b4199445eebd35f41a4af91bbbfb96785e94
-
Filesize
1.5MB
MD5d71cd6071ff4ec63df0953fa1777238a
SHA1f5f14b079443bd3ae34424607e5eebd30f3f11b1
SHA256c258786b8623b14eb8be14148304a8e3c61cffd54debd8bf51178d967f2cb6a7
SHA512003c8c824b013838b13200490449b8784e257bce9f05647646052f4dd8ecd718f41a62cc2cdaae150ce0904308b96f75f063172e737fe9fcc0c12419d296f419
-
Filesize
1.3MB
MD5b14f2a95214cc5a6918768cc506323d5
SHA1dcdbeb4feaa9384ea93794ef62af0174f4974dad
SHA2569d977c7633553a18dd927191e0034577566ac91a0e42cc1ebf9c9d93423ce983
SHA51233629b89b2860d9b3bd4417eb85504c8fda57c35d94005bf0a09faa3cc67c3c112eada5dadb823ab99108b68b004bb69b38ec26de20ef173ee93a227a502b0e9
-
Filesize
1.4MB
MD58a2c34ad1c40d4a2fac5c68b4f2814ae
SHA123adbbc9a13e747e0116e5d6acab834f915c00b5
SHA2560e3945dc5ef439003863bdf9842941de03b7fed15042c857969d1e50bd078e4d
SHA512a75cb030d5f960fe588f130ded2c572666d04906fa4c20c4d3c4b8e51083b926a6ece43c174ca8e0ddac9bc121c98d12771e83b920b3cf4448ce693f518f6093
-
Filesize
1.8MB
MD5085f487da3809ef3c4bb0cc2c0819fc5
SHA1e3ac233a0d4ed477744e314163a8fcb6ae8b6a25
SHA2568f4e7a45ec83b98a35b678aec08a5b96e4ece4442dae044bebcdc8c50072250a
SHA512b7c5f3f45f5641044f13bbe207f204236ea373d2a3b3477733b835af4c2155ee0163eaf15b2c55ce617612fa604f9400b9d3ae788e46c2dae70b7b50073c74ae
-
Filesize
1.4MB
MD5e8ffc05554d1f0444d2d7bd39118d58c
SHA11fd47226df7b2660272a18de09db414191800820
SHA2562aeec5c52971a8c8c6e304051a555ea6f2a4f29c108559124bc4b7ff6e90095d
SHA5125ed909ee58c83e1a043eb10828cfb8e7b4579d5176cb521d057158c8c51d7a6cc32c896534a0973fd0c3fd0eccfc2d281242ff7f137b8d19237f9f262e6b7fd4
-
Filesize
1.5MB
MD5b2a967e63d136d0d6462bf86506a87bc
SHA1216678b63ecb6949b2b0ec42bbe5758e6c8f7f13
SHA256bed432d2f5dac64a0186b06e1217073c09db6f142e3af3ace66171d4c79c460c
SHA512d46bbc4289af8f6d4e5b95f52cbb9d23b5dfc51bdb911f9fdd2969adeb0b84bdd03eecc85207dd49c54218a98597da12fb1de8f5801f4ed5cf18b4d457bab17c
-
Filesize
2.0MB
MD596543b2940e0bb7c904dbe6bc2b2f8b2
SHA17b2522981fe7667d81f3bc6284f96a3ad5821e95
SHA25674049b31e2b63416b4ab2c7add56322e30c2ace6bdf150165944f4a8535acde9
SHA5124b4e8c452b5143952989847d4fa0f12a547f73177584bbeceff5a0eb1a54a6b74e8ed3c476cb33fe647f9ace0de5b578d4e0fb33aa09d630a1ffd20b57b5cf48
-
Filesize
1.3MB
MD58236bd47b5ada0c83723f4175a9a3ce9
SHA13b14c3feaf69186c1519b9d2a75bb6acbe79bb86
SHA2564604e76f719fc08ca2b481eb5928f3eb0c30dcaf6854ebad3311951a9cdc5525
SHA512297fb27ddbb88ee00faf8e5209471c38e89805c4afa948f618f5b2d1ae1a1e04a68bd3f8b2493c69fa862c804115e491fb0beac21090b043e24d4a0d3e0ec481
-
Filesize
1.3MB
MD5b419aebed06d8366cfc0fda3897ac689
SHA1d13a516a65c889d85a1205555e733d0576b8fee3
SHA2569cf93946d169189bfd43804465a6501b873657db91780fe9de942b3a299c4f8b
SHA5128fafd0bbedab38322987d2158d918f153d276a21ec6b001af2a6949bd7007529a0fb29b31f6864ed78037f73dcae98b74ee478454de7cff2f7bdf69dc2f74a77
-
Filesize
1.2MB
MD56d265669f1cd384e47f85ceb537e3332
SHA1221dd4be9b8744b994acc46474873319ee02986a
SHA2562843a82de12073581cd55129b6c6ee6c11f76a5c65cb15da4746eaef2d0e691b
SHA512fade63625472d8d8f01adc5d5e5717cd3d98924565da37dae0a0b11168689c74687ddc2a8ffbd6aa4ab5b836cfd77a514c286d4e7e02cf30b21b2545b0b425a7
-
Filesize
1.3MB
MD575390610779b05b609e31ea468dd933d
SHA1dcb5a13cc5eaa2fd41fcfdcf99d1674ad4babaa9
SHA256de37b54e38fa765fbd33bb4678c186eeb1665071c972aa7802280756f1acb681
SHA512a7cd543800ffc20bd40ff594fe844838cd94bc760d739d874e9e5ed707f798d07cbbcc56a289c22670a6189dbf5014e3b0d48360a65601511d469aa67baf2966
-
Filesize
1.4MB
MD509122134c83e1a33f90dcae78c8c79a1
SHA12e4e502f72b0f03509508d7937dfd4d5f1f0dbd2
SHA2562be2b2468dce00aadb58200064b2705f0b0d3fb24f7b154d81ccd69bd169ba61
SHA51210bc35a1d6c77499db76d0f3b41fb8a10475609d3cd5a8d81d84f482cbeb389f538ed1866f91e636b59dcca0c1923fa963ff7e022dc7d85e43403c7becac920e
-
Filesize
2.1MB
MD582b38a747d3fa178a6d918b338774767
SHA142b5a778399f0f76fbf369a852e56bf7932c6373
SHA2561ec5d443dd18d4b98cfd0415a70ce9fe535bea3f0bde4c23dcd119a0d49082d6
SHA512c5f52890b309fa32d78cd9c04dae9fd6743946efb1ebec3613c0623a3871b3b23c14f47a27179394e59856c59f39abbea954edd015602742ca5dda6ca6fcf541
-
Filesize
40B
MD57806f070ee1bf48d945790a0c2a61355
SHA1cd3804e5db65628f5a3c0a8accbcb6d10544280c
SHA2566520df12afb6e96315f15e8777e8deeb8b25d5ac72136065c7d5accda00cd895
SHA512c1c368d258f84828a08885a6c25894d96da5f1bdb66ae2828bf764213827289c4df027188338fede003a59c8bcdf64ab3eaceb0d20e62c8ec8620c921901c7bc
-
Filesize
1.3MB
MD5674bf7c8517e58085a13ef4f58d43e36
SHA1ea058d2b71842d0355ecc5462718023c2d0679ea
SHA25634ae48dd7f03016e2353e9cda6c9dfcdc8eb0ec9d6b50e4d57f06b2e808bfe19
SHA512b17210920c7f676c137574bbc80b332b1a9d9c96b64d335bd42e2b849961f3ff070a187f6691097e87c7620f863567aff2e5ceaf3802895091020122403f9113
-
Filesize
1.5MB
MD50cb513e936a6c6bd36c49baab094b096
SHA18d817b27d8ac91cf072b8e21303c48170f938d03
SHA2560551d47db53fbd80891e483c521bdd195e3ae170901fb9a18b2523ba84b1b6d4
SHA512ddb792c26018aa77e3300a2eec1b7b5191501e388bd268289d4871e7877e36ba88790c43742dff798a8d502903b35bb4a8b04f421e59ef85d87aefe5cc086d84
-
Filesize
1.2MB
MD5ba10d0b41b6c7c934cb99d2635a78240
SHA17f164422a9087d79e25ed7b0ff4f2b72b4953b6b
SHA2566332cdc72a45ba860fae2c6b9605216c39cddd926eb179db87872648aaaddc86
SHA51253c86345f6ba818f20966246b68aeceac091652215c19129812825fee9d1041590b14ced1e5346fbca48138176a78bd11bebad1e4d195c67b50aad7bd5304c6a
-
Filesize
5.6MB
MD59bb61b707fbd4071d1735f0529008136
SHA13e22239bf7d7867965d013e9ea07cac5feccb28a
SHA256f81056e812b5677b26981f70e541054aecf5cde782c347a40a82c3eebf1e40a1
SHA5124fca0e6051bfc917b24a77b135b9f4438b902c28b500122246ea9f1f5932661b259d82f2781597509918c7d0e8fe7173bce4225e732e93641f1c7fa76661ec4f
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e