Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:38
Static task
static1
General
-
Target
2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe
-
Size
4.6MB
-
MD5
873dc7d70a7e50fe0dc5d5280ed0185f
-
SHA1
b919532e57f52824ad97fe0a6f6fc7c2f698e2ef
-
SHA256
5f8ed3bea7026f766bbeeb4ec8fdddcae6e1c286e7948134f00eac8e2c7a3c3b
-
SHA512
644bc1d31a2c7e11e19428f13a122e2afee6d3ac2317e6ce7757434155543925b64f0b767918db4b9cea05d4ff5fb2c6ee736810a6b60c5118862158470b7ea8
-
SSDEEP
49152:MyEKQ5E3ieGR0PEtBFUow1b89eX611+2xmepn/TRijbqYW3qkCbDypSfe6qwiXpL:mq9ceqz+2xl/SSb0XD527BWG
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
Processes:
alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEchrmstp.exechrmstp.exechrmstp.exechrmstp.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 4960 alg.exe 4952 elevation_service.exe 3612 elevation_service.exe 2176 maintenanceservice.exe 4584 OSE.EXE 3644 chrmstp.exe 4500 chrmstp.exe 4224 chrmstp.exe 532 chrmstp.exe 2560 DiagnosticsHub.StandardCollector.Service.exe 3056 fxssvc.exe 2684 msdtc.exe 1620 PerceptionSimulationService.exe 3036 perfhost.exe 1644 locator.exe 4568 SensorDataService.exe 3144 snmptrap.exe 4428 spectrum.exe 3516 ssh-agent.exe 3796 TieringEngineService.exe 2216 AgentService.exe 4448 vds.exe 4416 vssvc.exe 1692 wbengine.exe 2768 WmiApSrv.exe 728 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
Processes:
2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\msiexec.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\b5d0db02c4fd1e7a.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exealg.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77625\javaw.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77625\javaw.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe -
Drops file in Windows directory 2 IoCs
Processes:
msdtc.exe2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exedescription ioc process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exechrome.exefxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6c5315c2389da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b129155c2389da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e874615c2389da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1b21e5c2389da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a8df85b2389da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fdee195c2389da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fdee195c2389da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1b21e5c2389da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a8df85b2389da01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
chrome.exe2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exechrome.exepid process 5016 chrome.exe 5016 chrome.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 4216 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 5516 chrome.exe 5516 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 656 656 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid process 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exechrome.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 1780 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeDebugPrivilege 4960 alg.exe Token: SeDebugPrivilege 4960 alg.exe Token: SeDebugPrivilege 4960 alg.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
chrome.exepid process 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exechrome.exedescription pid process target process PID 1780 wrote to memory of 4216 1780 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe PID 1780 wrote to memory of 4216 1780 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe PID 1780 wrote to memory of 5016 1780 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe chrome.exe PID 1780 wrote to memory of 5016 1780 2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe chrome.exe PID 5016 wrote to memory of 4980 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 4980 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 5072 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 3152 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 3152 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 1600 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 1600 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 1600 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 1600 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 1600 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 1600 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 1600 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 1600 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 1600 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 1600 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 1600 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 1600 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 1600 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 1600 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 1600 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 1600 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 1600 5016 chrome.exe chrome.exe PID 5016 wrote to memory of 1600 5016 chrome.exe chrome.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_873dc7d70a7e50fe0dc5d5280ed0185f_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2d0,0x2d4,0x2e0,0x2dc,0x2e4,0x140384698,0x1403846a4,0x1403846b02⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xc4,0x108,0x7ff875ce9758,0x7ff875ce9768,0x7ff875ce97783⤵PID:4980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1932,i,13683370807020894489,13109186316448667395,131072 /prefetch:23⤵PID:5072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1932,i,13683370807020894489,13109186316448667395,131072 /prefetch:83⤵PID:3152
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1932,i,13683370807020894489,13109186316448667395,131072 /prefetch:83⤵PID:1600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2872 --field-trial-handle=1932,i,13683370807020894489,13109186316448667395,131072 /prefetch:13⤵PID:4704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2896 --field-trial-handle=1932,i,13683370807020894489,13109186316448667395,131072 /prefetch:13⤵PID:4572
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4620 --field-trial-handle=1932,i,13683370807020894489,13109186316448667395,131072 /prefetch:13⤵PID:3404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4788 --field-trial-handle=1932,i,13683370807020894489,13109186316448667395,131072 /prefetch:83⤵PID:4388
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4936 --field-trial-handle=1932,i,13683370807020894489,13109186316448667395,131072 /prefetch:83⤵PID:4540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4920 --field-trial-handle=1932,i,13683370807020894489,13109186316448667395,131072 /prefetch:83⤵PID:3420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 --field-trial-handle=1932,i,13683370807020894489,13109186316448667395,131072 /prefetch:83⤵PID:4532
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:3644 -
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x298,0x28c,0x290,0x288,0x29c,0x1403b7688,0x1403b7698,0x1403b76a84⤵
- Executes dropped EXE
PID:4500
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
PID:4224 -
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x1403b7688,0x1403b7698,0x1403b76a85⤵
- Executes dropped EXE
PID:532
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1932,i,13683370807020894489,13109186316448667395,131072 /prefetch:83⤵PID:2844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4088 --field-trial-handle=1932,i,13683370807020894489,13109186316448667395,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5516
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4960
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4952
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3612
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2176
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4584
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 351aa6df0d5863170130ddcb0a85c1f1 Ne2l+pV3RE+Eqzs3bUBV+A.0.1.0.0.01⤵PID:4388
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2560
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1308
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3056
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2684
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1620
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3036
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1644
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4568
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3144
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4428
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3516
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2492
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3796
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
PID:2216
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4448
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
PID:4416
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
PID:1692
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2768
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
PID:728 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5420
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5bbe66acbb797e42efcc859dc8fab69dd
SHA1b81d5717ddadafc8bb8ef98051e3f3c6f40cac31
SHA2564e2e022bb156156e00cfcee8362290d9cb19bc4e4a87fd5c48f0aa846188bc06
SHA51261755d7a915f78299e6b985eec76715dd3331c72210b1a95ccafa4a31e2dc5f56e68165d00f7e1de597f144296494b0f47da64e08dbc1f09ecd5a9143d0b3252
-
Filesize
1.4MB
MD56a9f571b5d97ebe386baca6c5da6d58e
SHA1f703dea95db98a62ea7b2226cbac6e9db303f789
SHA25637558427e86c2f07e8cf1a1beb15b9c16e89e6b89bb0300e27550e867b1c3021
SHA5129624e9835c01e6fb69870191ba3628067171fdab70f1291af0a8b615c5d85e3f49d6605972538f3965c7e14a0d148cf0087a75f95623b5908ecee4120385ea8b
-
Filesize
1.7MB
MD5d2eb449a5692355cd8eaad95e6948666
SHA12ccbdfa98b3fd5deefb813b84aa379a6d3c6e972
SHA256cec9badd172e0893f8682cb22ea18a09b8f039df1912884a51a424e0bc667086
SHA51248703e44e9caabf70dcb9c990a64f312faeebc41750d05f70a0c15aef08c12f9b2cdbc5dbba05bcf9382bc5e3ec88a201c3e2a0e279c70164a4ed44b702131a1
-
Filesize
1.5MB
MD521c20664ae15da947250c2c12da6b7fe
SHA1d8ff5a480de2f67b75ad2c34950bb2931ad789dc
SHA2565704a09baeb34c4965ba92c58260a4d6c2e97ab1fafb59e9ae4f9082d97e4656
SHA512999fe6822576ece1b704fd7743371bb1961296a15b71b225c0cfa350945bea64aae4f87b137fc019d6604d6137828bf0779534431a35878ef26f7c9e7b73aaa7
-
Filesize
1.2MB
MD5717e0cf59b712649742cba8fa71f80d2
SHA120589429525802874390af09ed9fc0591b347042
SHA256ce7b5fc41b96aacea4ab3dba99ba9cbb59363488ac1a88889280321328acc9c9
SHA512b9276386b937aa1c1da7143d42e47a6de9f943c525b855d35a79d7c047b34359a40dedd96696bc770313874f17d601d7a8f1b8031ff2270618cb05d1101e3481
-
Filesize
1.2MB
MD5a42b82b1d7e931a78a13092730490785
SHA1408d16d91b24b7b45796676b986ea4c133c9e3b7
SHA256dc7eeedbeb91851eaa08d1e76cfb3ce160e6e3080dc30d9d694b5aac6dbb0f4a
SHA512a86dadc1e4b5e1feffa9e8f5a3e9a36dad6f1ceac96389d66f8a8d296a5b6ddeae28bbbf8393cec41cde89d1682c1c1688547566e420d1a0bf1d3f63d95c4e2f
-
Filesize
1.4MB
MD5243723f4f59a42d46def763bd670ea8c
SHA14ca82bf713f276613cf99ca7b48833f4a56bf4b1
SHA256feeb512c6325bdc135599a164bac9fee0739d15f2a071214314126b3230b5a11
SHA5122eb2f3455beedd0443db1c606a5426c9005bd6fa8f88dd370b589d9e3b1e1915f47ee466a041287f6305071c52eeef27d1d3079bb6c7f9d58397e63623a5dee3
-
Filesize
4.6MB
MD54f60d18b4c40255b5a084707bbf9448c
SHA140c681b7350e6a6a60fba866967a28bb7b69fe34
SHA2561f3891c6a64fa4e44e66d47f628b97b9b319321ee911b91d421569b3941e6458
SHA512aa93fd6d2555c922252643e7f4d713169fe47b6d3c5788f50a720713d52509081ffdf5206aa7d9286ea2bcf11b1d0ad2525f314681f773bc8d55d3ed21dacd39
-
Filesize
1.5MB
MD5d742435143c5582a7735794effbe80b7
SHA1d36220e46f499591f6177f8e9201cc022f409a04
SHA256cd0034e795e19359cd5865186585a3e028dc25977bc7dd351a53d070900d6364
SHA512f5acee09eeadc9fc438ded9b411b79ddc1b0c2ae2d72ec24f558d201e7aa41bdce0bd12dbe95cf719afe6a51f81bb9b66f65c5b70fe99f09b95a443f46b64721
-
Filesize
24.0MB
MD5a78d7de9b1560e68f0fdd1dc0bc73371
SHA19b9890c1253cf372d4b18d8ad163a92187368fb4
SHA25615db72efef7b5f132748d75942c3c8416901fd9edeff14fddfa7c2d9836ef253
SHA512d6e80ef20e73480c531bd9340391183951375f7596803f2084a55b4e0a1727b8b5bb78a973f9e511e945b750047a2950ca19e31a33ed89ef4c2118304b0a371a
-
Filesize
2.7MB
MD5b36e8680f78ccdbd574af8dc10c02950
SHA1882d02d0cc84a992bc73f9c2f8be1e41ec63ab25
SHA25676ef0085cd1c4fd9436676bb5b415bfb6edb4518b98ef3980d7301250bdbcd7f
SHA512b8c30b38bf954ec2d8cf2919835bc69ae55ef348718956f5044c3fc6776ddf32d0db9aaac6b0b06af00b398d07189b608ba7249b086a739625d108c133a68cff
-
Filesize
1.1MB
MD5d3a5effc18b566aadcc238af716e66eb
SHA1375da4dabb738a5a57b53b31ff073833f44bf5a0
SHA256d387dd0e4060fd4b33c74c1bd66b56b7e7cc41599357c393b19ea74faade947b
SHA512e89fd120d7169ed08706a2f710478422557fc93db97c931d0fb6b5849811e06e7861d4e71a1238af1c49cd1193ef10a8f59271dc8888505107ef434fb0355ba5
-
Filesize
1.4MB
MD57530c39f41e862a9d0ffae6095ebf859
SHA14dcfcd8965ffc4984f1fbad3b0aa8a102430a870
SHA256df77c65d3d027225dd4c65e3080ff8d5069f5b98d6a7c64e446b45b50bc455bb
SHA5124e4336894293b64fb310cf6b00eb3301222f43129c071acbeb743a093f64678f3b5867fd045a6ba1519af0cd4a57a1590dbf2fd7a5ed138f2a6fef54f446436f
-
Filesize
1.3MB
MD58876090190cde300f611988a374317c9
SHA11960af309eeb6fcd822071465a10775755e6a7a4
SHA256176b4527d1b816dda2632427f71d0bec1dd43b9901310286c2d800c47daab828
SHA512c3e1ad9240d69505a8e91df8d0ffc9c68ac92d4e16583372a3b8be88a3471d53c94d0513d1681ad9f322343eaed7a60c929682c4e3ce6231dbfbe92b5fd7295a
-
Filesize
4.8MB
MD5018820980348c4e20d7c348e2be5f0bb
SHA11f3372a42ccecf4750700e75e67cd08ec28208e9
SHA256c5f459b0f7bd86c934e5bb55b88131d153bbfc67200f274f127ed130b975a366
SHA512c2644a3429b49bd629d2392639bc31ff9b90a220accf21bd4119abadc38bc20682d92c41256a9a3f9745708925fac1d0db9ffd393debc90bf2e6e9dcd2a8d245
-
Filesize
4.8MB
MD5b947286bf90517eada149315b1b57dee
SHA1ef76f81917f763aaa1c0af705739600e70b9ba04
SHA25651c5154509359e653c809423d68cf3bcb5aba4875da89e3dc6fd73f1e29ee7a0
SHA51236c96b5d1bf7edeb8630d480c22242cc429408b83105695fc2fd7f4faf083412fd9da7e7643eadff2160b9a9a2e2b5b3f1a4f3174ac56afd3f4e6ac1a49f1e65
-
Filesize
2.2MB
MD503ba9c60551aa93515f2134e00d61424
SHA1cea0c64e2ca8a6cc72e553b0befacea5238437c9
SHA2562c07476d3a9ac4dd87d15c12b79302f94e2734adafa8cce5731d2ea024be1072
SHA51253b2ecd63134546b708f7768997a3c5f487e8049cf54cc7b3cf2df74db1ab93d7a29cb833c46f798fb3bfacd1281701a7dc395276abae2bbcd98147d39cb33a3
-
Filesize
2.1MB
MD5a31e411522cb4b16a770653cdd09508a
SHA1e5d48487c967dfb685eb397252ac7aee9caac806
SHA256ea0be9524882b3a945746e4bcb3a41580230ba9c035c32cd3621be06c2df6acb
SHA5129dff95a558ebaf5622d7f0092e7ccda10e49bbf780c3280fb97b7e6e444a29a3ab9784f1d4c19c847177595d46667ffe1a059a7c226c4c828effd3e0474b47d8
-
Filesize
1.8MB
MD54384de2d4e1b8c25f3cb6b7b6ff7738b
SHA101f49330cc2b870cacb0838874c67dd0a5e4207e
SHA256317be30561bc70bea24f85e27bf2185177fcc5470e756956580d748dcf6c1267
SHA5122e922c6dbbf4827513c728fc8f7cf2380d563d53f85c67703ef946dce676bffcfc73fb04065621ebbb06525ab2c7a9457cd004c06eaf9c19f4dbcb538a7f9dae
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD5e96de010b05f4839c86e3ce7648e34ac
SHA123d002bfdb16174cc3822879d2a2c019871b43ae
SHA256eedb723c9eb3a98653092a0ad912b6462114ba362b1b7096047189128d06e583
SHA512b8b903e4ae21d9a8640fbab8e76c72a0d8945fa172aa9e6d46b7bf6b4d062c22cf9b1e7fc1b0c1a675cfc61de2d5a27b8a1e8b406540e4b27c125f1a4ca6ffc5
-
Filesize
1.3MB
MD57d5ffe3fe1297b4731ed4d01baa2a625
SHA1e00f2a9d4a50e72b3a23b7b7291147b1c4630bf9
SHA2565f9695eb7eb233ef6d17a85f69a6f3cd68fce5bffe1d7e7e82a834502bc40b7d
SHA51252c7ea3eca43b49866f45a7f0e2bb274e379a14e658692ec7f7d3f2ec77606e53de51c4beaa4f13cf6a5caff7e3a6cb6080e1344e0e7feaeca6b59db65fcded3
-
Filesize
40B
MD5ed934bb42e908b65468501ef47d375e7
SHA1449eed75ed041b4301ad5049fb27f526f8e620e5
SHA256a144b757ceaaa38b14001908e4524269736b30e4ee3548883f2d9c1f403f14a1
SHA51277ae06736592a690a229b57730b2f4abb4d924bcbeb5c67a60f424bb6678fcb72f1481154018ca60603b246bdd10933952bb1324b76b7b1649d9b79795919cb0
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD5cfce689815d981106f2852f0d3387611
SHA152a0a33c2e7e6c4a9896c5eb26ee3f28008f1990
SHA25616896bb27a59045eaa847a257c4cfc58694567e47f3c0ef3f3cd29b1f975d7d7
SHA512d349c07bba0651d579f14c826f875dd689c05b4f8da14e88d4b2316860de60cf2d44bfe2fb63939288e29ad92763eb7fd8e839cf5eb1dd31edda0759348b072f
-
Filesize
371B
MD57ee47bd8a588ce4383ac5bec1f86f6a1
SHA11c846927332ba4e9f5e1b10c964f1c1a7146b334
SHA2562d7587e7df93fafec1ce0e9606aee890b57bbd36fac9fbc3326a604f9264a78c
SHA51247c604aafcf0fa4fa754d80df4f0779bd3f166a8f16d4500a9109132aa2359e36841d72297f5396d84639e75ee201c443dc9a22c2c1aa77e4a48ed85cb56fb10
-
Filesize
5KB
MD5e7297d0029697bafce210c4c75bc2d2e
SHA13028038befe4b71c34177ceaa7fc11556d33fc51
SHA2567bc73e53eddcf978d1f6a47776b8b814582fe9d977194a28758eed92752bfc9e
SHA512baf7dd56b4ce5362695c9125dd7b4e5595d8f7f877fc9613f6df5d097f546f34af81ebd249e5ade089c04329f4487e9d9bce2def39abcb3185ddd2004b2ae4b6
-
Filesize
4KB
MD53cb2229bfc1dce315b2826d443aac3ef
SHA1cfe8080a964d5a938eb92827d5456e0c922567b1
SHA25647ad469b89bd6ceab5146bcca9665d4dc5e6160d2ce00ddc9299a92e7de7314a
SHA512419fb40498d6e29c0dcae73383c310e1d4226133fa290ed2d7beb42d279d49c34634ae73e054dfb057e2f0f587a966c71ff675e69e13ddc26f988bb1e978727d
-
Filesize
4KB
MD516c67a19ffb70796b695fcb94e094f8e
SHA13198287938d865843deb8aa00fd63ca1050b8ed1
SHA2566fb5014477dcbde5b1e65f2f3d34cc8ab429e7425f034d31d76bc4536a58f89c
SHA512a661e77ac8cb6f05cad162d63ce7630dba03e0fa15d8beb41c6c19bbebf957516a47b5663bfd40aa85e88545d5c88fa442d2e18013f61222e7980c7b9f8613e4
-
Filesize
2KB
MD596369edd1a4ffbe3b82168be4cf74b6c
SHA1b3fcff571d5bdfa454dbdba1993921f374561acc
SHA25699957138c3a3b80e8db4d353e5990f2d0f9dda00f16402c4c918657c7c155c61
SHA512702ea20ec2cc6f6b526759ef549c9cad339c69ee3d2c3c2e7eab8323273049d0ce333abab50e4d4abf860389c417c5e88a526a7dfd84c7354b3e3b868e999d35
-
Filesize
15KB
MD57b424514d6fbabfe24633f34962f06cb
SHA1baa2d90923de5893f9c016d5261d39e39b8a2ce4
SHA2561a05d87885293a79110ae716239b7becdf20efa95255c6456ab5496e8028e609
SHA5126ff3950ba49c884c0b023714a7281a52140053eaabdadcdd7b88ddd43def9930d6926255bedf327adb07b50e1735747e9eb3364be17b00cf1b0f6a4dec180869
-
Filesize
260KB
MD5d9ed64673352f41fecfd826934148acc
SHA1de0c1ad387c4e8aec7fb646f034ca5d33c10e419
SHA256d7833100938b9e3a2ee3a753676027e3c17a412ea0d5a9d6ad25acf9c468d856
SHA512d218491b34fbce37a882ee0edfd9c434b7e312e15e39287a394d717b63b106b154533aeeab7ec6490ab99dea66e4d91fd2f10ed6aa629ea3d6c0f32eed4d4354
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
7KB
MD5d0b8f235916d3d9ea2c0452629069865
SHA1244735e63728fbcfc316da6b21a737661bae9f93
SHA256dbc0b68fe9c4d24363763997cf1e5fef70738a2763d5aa9b626223d8d93ade4f
SHA5124ccb6b4b88da3abb0e182ebe8c14273425c99c2de30231b80f719ac50d0e67c197dcfe7046c5405ea561ce5c81a224242c0e128f291b62c67d4165bf8b008ce1
-
Filesize
8KB
MD5f267c362bc62e1dfdf991434d6a995d6
SHA1ccf87019ec6c889c48be19be15cbd2ea2c401491
SHA256becdebd978e700b22a0eed2aed421c9388779a1865ead25ef0e1edaa4d1c9b2c
SHA512834438146fda6067894d6a93da9930f7199fc7e1d5bbf61265167cf1df3b16f1196a55575e674768a2d8ca73c8345772b8fb29b6477ea2949288ae346b65b6f3
-
Filesize
12KB
MD5ca58b559d9edf7475d92ec5b15367423
SHA1a95d2afe690a272063bc3dd9a8cec552015f95e7
SHA2565271487f8fdcfedacf72d324e135523f7918762c9c0bc354d8673e31d8818248
SHA512af0c685318919aeba0d416c471c19c7674d1f15f75c7b26cd6625216ab9d8d3a21d511f551d224d633dca7f6e70ab807b80551140bfa0a14bd1745e553914415
-
Filesize
1.2MB
MD5eb4735697b8ae3d32afca4dbbd122eb9
SHA1f294f402b593484e64bbbb1d4369d04ee630a755
SHA2562bab1ec29ba086afbaca8f9147c83d121152d857ae7f2cdb5060e521212bed59
SHA5126e8059a578c8572d1fc77cae16c6ac787a7dd16856964eaf15ad0cf3e16803e2bc7d8ab32b1d0a87c977d4ee76d310fda7d4b56c6beadadaf30b813dd68eff26
-
Filesize
1.7MB
MD5e86fe0141bf85fb597163bc6fbf0caa1
SHA1e1cb781fccaae70c20b6737d28c4e66cda941279
SHA256639c5d1b1c7462dfea412d0058e9a57a1fd2f1799023d40e8f0cfbd9ddb22828
SHA5121b3d20d0d23c945fe4f4bf6ecac014df1634ae86d0c055d5345b37aae48f5da6e754685db8e0d9439205268ad3d9ad893755d01b3b2c123f98cc072ee146fa5b
-
Filesize
1.3MB
MD56a4f404916a779a74e385146d4892a8f
SHA100f601d2e458e109d80849635bd794f0781b8d73
SHA25627ae68e38fe992d980d4d588a8ddd73054c4ef16ca141dd1d8cb7345aba95698
SHA5125d687db71bbf73dbf1ed1b9fdf6f756f26b85bb67e15d857d12109d672983cc6bdef71043896d2deee357649504659a23c489fa9cec8892eabdb024fd5293817
-
Filesize
1.2MB
MD54dd7da4933661e9a0c8e625f493f429c
SHA1e3f9cd6a749b19e6daf157ff3b6bd234f6bd6607
SHA2563b54f283e7773a155ddf6efa16ebc267e1e547668537e3aeccaa499f24d86ce8
SHA5126dfc76bb267a84a34451b3414b7ce4064ba26f898bf600f0fb79671028e86aa65a355da9cea6cd5448b8b5afb7fe5b4c2042b1d9035df6ab4893349b5af099f6
-
Filesize
1.2MB
MD545c0d6260dc35cb4110447da31e42493
SHA187775d50f8489fac657c5710cd0cf98d2eb9495f
SHA256db3c909b639166b7ebc2799771314e3843e8b5d4ceabc8d22dbf736b82ec8799
SHA51275b9ec5da63a3d87e623670269c4e74b5b24d0f977431762610e7e44e4a846bca1098dd31ad57315f0990a93b975c47b6415f36e528f667e83d68a6b4d24fb6d
-
Filesize
1.5MB
MD59cbe693c64cc217697fb2aa4b46ca4ba
SHA1866fee444acd9167d61b52a4dc5da4980acb404a
SHA25614e38d8351efb4d7543088dbcc2ce15b67fa67d3c0effc7e834c4fbc49c76bee
SHA512331b3efb567585abec9a5d5b161a0758f4cb3509f6dfe97aba2937dc25f60552c4fb8add500aea113df36fe3cb77d8e6556505edaeefeae0170f45505e10528c
-
Filesize
1.3MB
MD5e30fe81543e06bf735c3c41ef1051b2e
SHA1f9b1c6b49f935a1beab892d2f11f585c7d113646
SHA256bb5a349e07a5a14ca5623e04d78db79a8223af92d14bfd44db5789958867ba6a
SHA5122b402d305ef5c18c54addc641453d3ca0569658629a6e4d36d1cf7ddac77a435f02ae172ff4ba41b11a2b9c48085519326530f4f633fc7ea7c03f0f2f910f9dd
-
Filesize
1.4MB
MD50953f1c5a3e3ba35e5ac8bc16c898efd
SHA19db755be52b821a2d5deed09781f02a7ec61521a
SHA2567cff38fa7449e6e5918a9cbf893b32a9d73cbcb933afb1958d2c8d5cb648704d
SHA5128f5896ef5dd9bf9d8da61fc437c74f3cd8d66df6e9b2f10760e646ae0d265c6bc4117638b1b5ab15dc54fd1dd23669d39773d766b489526fb6ee59630bd7c501
-
Filesize
1.8MB
MD51d4f740e3eea1b0448eb92a2d4bae9ad
SHA177cfc5db8adcc4d3bd48e7909db35f9020af2e72
SHA25613bdaf3d8347dd271467e640e4b936aafd0b9ba1d100fc2151236f26d5bdb60c
SHA5129b1ec1eaea3aa0060402afc1f7c3806db8499110fbc1b7327d40c5580e94f8346fd2b84cf178dae7060fc8b36d477a60e60748898f28c92f754c38efb11dc351
-
Filesize
1.4MB
MD51860df157f4877d406ed1290b54e6a28
SHA12e9bbfa8d9501718a2eeaba0b8ec7ffb7b51d47d
SHA2568e20381cc57f80611da3aa7e09fe3e6d142f07b148d91cb962d1f2bc564a77aa
SHA5121303b630965bbb80afb592edd8112b3cdb7f2fba12a9bba6ec6a31e34ce76b78f9591b318ba3f18caf2d8c3b46d75fef05e9c067218886959f529d2fd81e3e4f
-
Filesize
1.5MB
MD50c7dd5a45342d40d8029253679ab4518
SHA16094da24ad2538d4a71e4506870416e5185ee388
SHA25690d9c9544be461b8f765da628e569b3ad6995a227df609a62f3db6d1d2b5c74b
SHA51263e3a69a389d326ca3cd6df8231ffd8b7b0ad47c54d0edae741a3a8fb57ce0fc07ad7b099deb7bacef7e8919a9a2beca991babc443dc70f097b45aae5caea3b0
-
Filesize
2.0MB
MD5aa93dcf1e87fe6fef42bbe682268043d
SHA13f687cbe77766eba5baa486d397f4188e401ecd9
SHA2563a0301786b32adbd6a3cde2255bdf49b9be947e483ca483186993b236bb6dfe3
SHA512a64cbf6e46e0510014c0fa8a83d40bbc001f3147c201f8f9e2761e957815b67768d463d2b89051cf9ba2e6819506af2efda95d143a9014afca1d5ba3772a1d65
-
Filesize
1.3MB
MD5b81a9c12405919f7ed40ff37a0f3e3da
SHA1f980b689d5ccf267266254f86347ef212545ed88
SHA25632dd2849828ad8b5f87b2a2038acaf2956d61584609431865237b90dd4041c91
SHA5121d550a6aa5e6d7b8ec9e52d085adea145fdd9be376274975dc94a589911790f9955ad42d603cc3134f95a532f440d79401799474e11f4b1eea8cdcef0bb2fc1a
-
Filesize
1.3MB
MD5b737774826cac65b2856566fd83c0dce
SHA10e3b1f43e92e6ca5f196773b1e1391efe254aba5
SHA25611f22b9331acbda018f3a3519072317c3fc5c583141a30f56e923821904e6961
SHA5122a105330587f207b5225809b206353d1230bbbce51c4f189071a0be17f305f7fe1ac0c8708dab23e78b46b40b6eb3940f169dcb756578752ea50eb603b0db613
-
Filesize
1.2MB
MD555d48b5d7f5e6df1a797c462a8decf33
SHA1333907036ef07a5c8492429afa93a685a070bd0a
SHA2569b76712fe4fcb50d43a71850c00977d661d7cf57dd1859928799af151f593524
SHA512bd43c16f2848b76bc7112a9e647251953fc7c515f1fb971e44dffad4b7030272e564d5797b6c3c2a06cdf9ca5982f8ed7a62c03cc4360ff24e01b627a74a2c39
-
Filesize
1.3MB
MD5f6d4b6dbe4a90be4c86b6787f1714ddb
SHA1f397c2d8104b6d18400e78dbd92df5ddc768f618
SHA2565e225ec416da83423d1b014e2de0257657c468f21948ad3195457adce2714271
SHA5125011a56c19bb9711088d473bbce8e36af0adcda893581b2048d95f25e684f07430fec9289f56575529f321a9a1cb0b1cb0b72dae47b813d4ae4322e0c11a0250
-
Filesize
1.4MB
MD50bd0a3f2272c3843bfc5145c36a0a59f
SHA1ee30b9af1ad8b66e9e2c2e04e3923650c8775beb
SHA256d35d573445a8ac3bb469cf21300ec429a3fae59a01a83bc0448dedea34e3b9d1
SHA5127f461d721aed311067e9840eefe6520419a5150d95bad524a9770194f7b31ebd82bbd617cf9edb35ffd7b6247ef8d948110d9de48753bab6d7d396731992ba9d
-
Filesize
2.1MB
MD50fb9b24ba7481c33d49eb79c8ce144e8
SHA1dd88988e160e42cc613d78960be73f8bf5f58337
SHA2568607180d079d4481bcc08269a42e7e2acf01a6fe5c6f9caba1507226e50c4457
SHA512fc8f2da0af9958a5f3279326294bc79d27cf67563ad00d77bde78465db67bd72295c83ae86f6f610ff3aff84f492fa04035fad3bcc62b465cc43d81be04518ce
-
Filesize
40B
MD52100de2aad08d29a00d3c437d14c3e51
SHA136f743b567967691732dcc12be982ab5af66dcdf
SHA2567f178b514e08273f35498e058197130f73ccae9a935c71a2c876973b8922b33f
SHA512b391cc0e4803611ce3e2947e7160d43b417dd94aff9e607952b434fa1973b49cba10462a72b620a4bccbdbdd6ccf3214a782324e809e57f40df4abd65a249f36
-
Filesize
5.6MB
MD5f200fda28a2c33397ef054cbecc2c90d
SHA194aa2fdd5482a8750ca97bc65a7687879bf07228
SHA256e64db0ed4d5e61cd641ca3707a27f4164f4011dc0dfb4b71a640486b43c728d4
SHA512ee3bf7047c608cc9da58f19dca820b04f06669f7842547c04df304dbe9359ad18194030bd6ae120ebbed7fbe07e56198196b2263654d65e2e176b16b320b08a8
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e