Analysis
-
max time kernel
151s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
09-04-2024 00:06
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe
-
Size
5.5MB
-
MD5
a3f6943ff0329e9244886d5d04651fef
-
SHA1
408a7039fa4b628324d693de4b28fc63825273e0
-
SHA256
7dff63a439f53c50a1978b738663d2d2d9bb76e09a24bf3ffb536e480d155b61
-
SHA512
9ac1d0548eb3f8db2ffb0171c67fcd7651c18909a233d1feef67caf61982b77bd9ad031f6fd9d1eff67c9a2086cd84eba45af9db822cb1c2b297ae0f16e4d8eb
-
SSDEEP
49152:yEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfO:YAI5pAdVJn9tbnR1VgBVmmhKOYn0um
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2776 alg.exe 4036 DiagnosticsHub.StandardCollector.Service.exe 2676 fxssvc.exe 2660 elevation_service.exe 3336 elevation_service.exe 3596 maintenanceservice.exe 5392 msdtc.exe 5508 OSE.EXE 5816 PerceptionSimulationService.exe 6020 perfhost.exe 5156 locator.exe 5272 SensorDataService.exe 5340 snmptrap.exe 5464 spectrum.exe 1936 ssh-agent.exe 5644 TieringEngineService.exe 6012 AgentService.exe 5740 vds.exe 5400 vssvc.exe 5852 wbengine.exe 6252 WmiApSrv.exe 6396 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 33 IoCs
description ioc Process File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\1ede98204ab059c5.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_135953\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d85609eb118ada01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6661fed118ada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009ea96ea118ada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133570948324587746" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c2492ea118ada01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 2292 chrome.exe 2292 chrome.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 4064 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 2292 chrome.exe 2292 chrome.exe 4036 DiagnosticsHub.StandardCollector.Service.exe 4036 DiagnosticsHub.StandardCollector.Service.exe 4036 DiagnosticsHub.StandardCollector.Service.exe 4036 DiagnosticsHub.StandardCollector.Service.exe 4036 DiagnosticsHub.StandardCollector.Service.exe 4036 DiagnosticsHub.StandardCollector.Service.exe 4036 DiagnosticsHub.StandardCollector.Service.exe 6332 chrome.exe 6332 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 2292 chrome.exe 2292 chrome.exe 2292 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2152 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe Token: SeAuditPrivilege 2676 fxssvc.exe Token: SeShutdownPrivilege 2292 chrome.exe Token: SeCreatePagefilePrivilege 2292 chrome.exe Token: SeShutdownPrivilege 2292 chrome.exe Token: SeCreatePagefilePrivilege 2292 chrome.exe Token: SeShutdownPrivilege 2292 chrome.exe Token: SeCreatePagefilePrivilege 2292 chrome.exe Token: SeShutdownPrivilege 2292 chrome.exe Token: SeCreatePagefilePrivilege 2292 chrome.exe Token: SeShutdownPrivilege 2292 chrome.exe Token: SeCreatePagefilePrivilege 2292 chrome.exe Token: SeShutdownPrivilege 2292 chrome.exe Token: SeCreatePagefilePrivilege 2292 chrome.exe Token: SeShutdownPrivilege 2292 chrome.exe Token: SeCreatePagefilePrivilege 2292 chrome.exe Token: SeShutdownPrivilege 2292 chrome.exe Token: SeCreatePagefilePrivilege 2292 chrome.exe Token: SeRestorePrivilege 5644 TieringEngineService.exe Token: SeManageVolumePrivilege 5644 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 6012 AgentService.exe Token: SeShutdownPrivilege 2292 chrome.exe Token: SeCreatePagefilePrivilege 2292 chrome.exe Token: SeBackupPrivilege 5400 vssvc.exe Token: SeRestorePrivilege 5400 vssvc.exe Token: SeAuditPrivilege 5400 vssvc.exe Token: SeBackupPrivilege 5852 wbengine.exe Token: SeRestorePrivilege 5852 wbengine.exe Token: SeSecurityPrivilege 5852 wbengine.exe Token: SeShutdownPrivilege 2292 chrome.exe Token: SeCreatePagefilePrivilege 2292 chrome.exe Token: SeShutdownPrivilege 2292 chrome.exe Token: SeCreatePagefilePrivilege 2292 chrome.exe Token: 33 6396 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6396 SearchIndexer.exe Token: SeShutdownPrivilege 2292 chrome.exe Token: SeCreatePagefilePrivilege 2292 chrome.exe Token: SeShutdownPrivilege 2292 chrome.exe Token: SeCreatePagefilePrivilege 2292 chrome.exe Token: SeShutdownPrivilege 2292 chrome.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2292 chrome.exe 2292 chrome.exe 2292 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2152 wrote to memory of 4064 2152 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 93 PID 2152 wrote to memory of 4064 2152 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 93 PID 2152 wrote to memory of 2292 2152 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 95 PID 2152 wrote to memory of 2292 2152 2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe 95 PID 2292 wrote to memory of 1568 2292 chrome.exe 96 PID 2292 wrote to memory of 1568 2292 chrome.exe 96 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 4044 2292 chrome.exe 104 PID 2292 wrote to memory of 1728 2292 chrome.exe 105 PID 2292 wrote to memory of 1728 2292 chrome.exe 105 PID 2292 wrote to memory of 5052 2292 chrome.exe 106 PID 2292 wrote to memory of 5052 2292 chrome.exe 106 PID 2292 wrote to memory of 5052 2292 chrome.exe 106 PID 2292 wrote to memory of 5052 2292 chrome.exe 106 PID 2292 wrote to memory of 5052 2292 chrome.exe 106 PID 2292 wrote to memory of 5052 2292 chrome.exe 106 PID 2292 wrote to memory of 5052 2292 chrome.exe 106 PID 2292 wrote to memory of 5052 2292 chrome.exe 106 PID 2292 wrote to memory of 5052 2292 chrome.exe 106 PID 2292 wrote to memory of 5052 2292 chrome.exe 106 PID 2292 wrote to memory of 5052 2292 chrome.exe 106 PID 2292 wrote to memory of 5052 2292 chrome.exe 106 PID 2292 wrote to memory of 5052 2292 chrome.exe 106 PID 2292 wrote to memory of 5052 2292 chrome.exe 106 PID 2292 wrote to memory of 5052 2292 chrome.exe 106 PID 2292 wrote to memory of 5052 2292 chrome.exe 106 PID 2292 wrote to memory of 5052 2292 chrome.exe 106 PID 2292 wrote to memory of 5052 2292 chrome.exe 106 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-04-08_a3f6943ff0329e9244886d5d04651fef_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd8,0x100,0x104,0xe4,0x108,0x7ffa0a159758,0x7ffa0a159768,0x7ffa0a1597783⤵PID:1568
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1908,i,7613726680229745034,7134060481549851505,131072 /prefetch:23⤵PID:4044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1908,i,7613726680229745034,7134060481549851505,131072 /prefetch:83⤵PID:1728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1908,i,7613726680229745034,7134060481549851505,131072 /prefetch:83⤵PID:5052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1908,i,7613726680229745034,7134060481549851505,131072 /prefetch:13⤵PID:4852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2868 --field-trial-handle=1908,i,7613726680229745034,7134060481549851505,131072 /prefetch:13⤵PID:1640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4592 --field-trial-handle=1908,i,7613726680229745034,7134060481549851505,131072 /prefetch:13⤵PID:5300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4724 --field-trial-handle=1908,i,7613726680229745034,7134060481549851505,131072 /prefetch:83⤵PID:5460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4872 --field-trial-handle=1908,i,7613726680229745034,7134060481549851505,131072 /prefetch:83⤵PID:5468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5020 --field-trial-handle=1908,i,7613726680229745034,7134060481549851505,131072 /prefetch:83⤵PID:5500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3828 --field-trial-handle=1908,i,7613726680229745034,7134060481549851505,131072 /prefetch:83⤵PID:5640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5496 --field-trial-handle=1908,i,7613726680229745034,7134060481549851505,131072 /prefetch:83⤵PID:5944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 --field-trial-handle=1908,i,7613726680229745034,7134060481549851505,131072 /prefetch:83⤵PID:1304
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:5640
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6a0557688,0x7ff6a0557698,0x7ff6a05576a84⤵PID:5972
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵PID:5660
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6a0557688,0x7ff6a0557698,0x7ff6a05576a85⤵PID:5612
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1908,i,7613726680229745034,7134060481549851505,131072 /prefetch:83⤵PID:6060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 --field-trial-handle=1908,i,7613726680229745034,7134060481549851505,131072 /prefetch:83⤵PID:7072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1908,i,7613726680229745034,7134060481549851505,131072 /prefetch:83⤵PID:7080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3612 --field-trial-handle=1908,i,7613726680229745034,7134060481549851505,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:6332
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2776
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4036
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3340
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2660
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3336
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3596
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5392
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:5508
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:5816
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:6020
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:5156
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5272
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5340
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5464
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1936
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2836
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5644
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6012
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5740
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5400
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5852
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:6252
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6396 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:6284
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:6372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2244,i,861925222566734100,5228329984880658054,262144 --variations-seed-version /prefetch:81⤵PID:6116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5de771c9a8f07103565890185d4ad228c
SHA1851054de4f61ad4e0eb307f7eb99ef8f669a2169
SHA25614ce8b424ac9f46e18d9fe1affa71ec609283f653ac06e19cbdd2ef41fbbe3a9
SHA512799cfaf66c6a3e67845e71a211441e8ec374b71c204429634ae9e128ff87f8efe52dbf95b9d9db8dab7d9682e640dd3ce1260bf6a10e4048fc406ee0b93b0201
-
Filesize
781KB
MD5ca300b17e739a4d4aa82be28f658dbb7
SHA1a13399d3c0ff011463ad21214203af5b1d700d4d
SHA2568edaa268ae8c46738414ac5992c4559e80105b9db9521eb08c594f4e301ed804
SHA512a5067b1dc17df7b9a5f6293d9d3dd68e374ce47788ffb8c1a70adbec3c576c6565aa47f6567c1e23a39fe8333cfd04fbb7c76d4516b994fd05c0cb21dbb8c90b
-
Filesize
1.1MB
MD5128b5686d488864cf1598d5922436c4e
SHA1b3c2df83e4cabfd51e4eea471722058987de08c6
SHA2568261567971f95972d916dc63552064d9429c6bd099eca95109867687be3449cd
SHA512904357b68c93d530119d5f30b7de8dee24da37d0dd4bab3d81a7858512eec17bc83ed32d8d4fb7834a2e5b56f62ec8036a5b7b87f6913b5b7cd6dd5cf73ba482
-
Filesize
1.5MB
MD534b14fde29896aceabc9e58fdf0aea57
SHA19de104069f0ae3812cc33b71ea0e9508cfb3dff2
SHA25660cd46d3891c2883998b7dcef49d79e81fdf1871ccf976eb72c67cb50100908c
SHA51240a96cd58036357b70663222410894d30fe7a680b4d1e058337369bd4c94f4f0e808c6859672e97646dedfbcf104cd48f9a5d47c1714964828b58e41bce569ed
-
Filesize
1.2MB
MD5b66e34b7de2d62b08df0f7a237905f23
SHA15ddbe65aef1e20c7c9646e33c714b1b0087512bd
SHA25608b29f4be01152dd1b034988ca8b60bfc36593112a32b0b3c22827cd1d33fb9a
SHA512e083fcf9bf9a467a8889103874ff18614f2972a16479e81500ab646bc8dcebbc4f867101de68087fa76f64842c0e2f1976881ad05499e5aab7931ef4f59e523d
-
Filesize
582KB
MD53fa42b01bed87df272fc7ee2d596d48b
SHA10965ad8eb47a6214e35a807a4c74b3de5b0784fb
SHA256cc92b6bb6f1e00a9ae233341440568a97e28c6ac17e6a1f5595c0f68d61fd556
SHA51233108022eb9e58aa160c83733d6c39a0b52d43a9245b35d791768cc9bca82e4639f48548b748bffd7d7469d0161b4e6ebfd9270424c385320b275547d3e00afa
-
Filesize
840KB
MD5692e0f81b94951323ea08a61f772df99
SHA1f146f50f2a89286aa46137119620f58080997498
SHA256cd9f75997dd2dc3200caa0086cda6117fdff829e4b38c1a70482448024ff19d3
SHA512ccbd5a9cef3cf9f96eaba862ef1b45e3513d1b039d3bb84ee027aca0590612126c13561b20068245b7f464a9a65a738c3b1812ec24fe77a58d75c937772b45e1
-
Filesize
4.6MB
MD57f4e498233d8298e3ece1303e7ab6471
SHA1071ac06c633ae03a2f3526f5fd82f2f76ff9f794
SHA256969e914ad938009c3d84f378331e91e953de1506fc57317feca4b6d6bf04a603
SHA512a107f718a4d60715f2cc82a5d01ab17dcc3d9086500ed24382f4ec90d453b61154c4947a347736250b2fb92f2108b8831ab97e6f2d28bbd20e3169b917e9c243
-
Filesize
910KB
MD5b55c0c62452e38281d2142f8c4cadb5b
SHA18a458e9fa8febea22ecbfec1fc78ed71b1d69163
SHA25668368793e140654c4f5e333e717e87ca7a763db47c5208b843e1adbc3568d455
SHA51261b9e4734324b00d3df66529c57ff6ff28cbed2883ee1a0af35895adadd2b7ec75e4e64a43e53b04d28e0ee176c40f5ac525f96f6320420604bbd0daa817c21d
-
Filesize
24.0MB
MD51f1cbd98a50f1c2c07ce2e3125b64414
SHA14559346477253378542aefb7c8f4c4eec5c14b2a
SHA256c35b53e1c8e3e38564f037c0ad03d032b16ae7c61f6e8eb37c47d969c22a63da
SHA512991168a7aac7ec73b5854338b61f0ce5848ac24575b3f1010514125c99ea2b2a710eb266c651c2637263f8f6641f184734b1283ad031a31b4892b2547f95d1b2
-
Filesize
2.7MB
MD5ced959827ad08f087ec43990bba8cb37
SHA169df5b3d94d1ed05fa45657044f70a3862716474
SHA256c5521dda9f805b20a063945471d120b265b808603d0def8049fa4c79af7e296c
SHA512c1ca8c71523bcc00793fc69fab2da1f40bbc761615f4b75bc0a7968d4d5e705b9547f1d6da75e8cefe93115f5ee2617d34f895304e6f09f3a161908c1d7fe214
-
Filesize
1.1MB
MD54f564cc988e20c063b43c8f3a3c879ed
SHA185af9c83366dc85e66ee31bbeef410260ab47ad5
SHA256682ba9079353a8b25e785539586958159b53460ae824c67f2e7299e435c9b756
SHA512cd72e5f5d263b50e2e0fa9033c8d954adc8af8e22b11c608069ea8da8d6a484f873ef7135294a9c2de9018da6e09ecffe33d150000498c71dcc90205af848085
-
Filesize
805KB
MD59db07ac86ce569f5ceabd7eb21b84db8
SHA14fde301d0f2d501902ce72f407d4a32a3393d884
SHA256a288ed5ae28e37c7cd672ea1cc1a06a1583b4903fd842b1706b48830aad2e4ac
SHA512ebc3d3ac7fd5a4f8861e2746cef1878fc416653f56f629ad965f8e9d5ad6c97a745188a68e39647a7265ad7f12f46881367fe4096357eef4740edc2790915c20
-
Filesize
2.1MB
MD5257bc1f817dc6b811242bba280dd89e9
SHA1c519f60db38a59e2ba8c3fbcc0ae551666cf350a
SHA2563485c908a875788d600fa676031d4f5dfcee4757bf907d6217875260b232ba82
SHA512bc07b51af8197034aa98ca2c6d935d12cacc0a0d178aef6451e772c518104d0bd6a16b0c534aeebf67e8bfc8d9e6d90e7960212a492cdb73e29ba45c3db91338
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD552939977d7ff2b39f92bf9d8a7102beb
SHA18940a41d6535d7f191d05c4b872b549572376bcb
SHA25648b2643b6fdde7c198df85a8483e74516f51edba0b05e3000d2ec92a16371828
SHA512da719350e08041296f68fcd27734af58c40a6a6eae3785cc955361a6c4c036f4c8db6db95ceacfb4094f5fe65c8d9e777b18d1f9a8e74c07c9b6fb8026940964
-
Filesize
40B
MD54a0b907083f8afcc81fd894fb6c45d01
SHA17161d696223d3373ccce860cf81249d7f738a02f
SHA25687b0af1a5d48c9852603c2cd73097e27beb903aca92354231262ceba0e276e4c
SHA5129a917882b29ac03f6af556b1c4cfb99b5e8260a4bf9a179b91cb1a1ddf47c1cd5543b8d7f008d955320e567dd4fc0236e187717d4bda748289700b3fe920aca4
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD5ca0d930a5513031cb73f8029797393e2
SHA19d72d833a7c3635072826bb011fd1ae50e54ef12
SHA256771c88d5f4b7711dc7f880dd0f0b2a62987a791b7e5b265d9577f31a4d9cc7d4
SHA5122a1afaf4799214ae87324fa0cebaa7aa52b6f34b727e6e83d4836c6e06158f213e224529eeafd1b187b2adc9987e1402f958f7ad1e3304dc40dca2719316a225
-
Filesize
371B
MD5840d3e5912ede5611969263e9ff944ba
SHA1e42d51607a9784c5333910878965828bdc391817
SHA2560537f0cd673f6857a490a3ce9e04bbca85f4bca5d1410fd4ab19b2e5ee199b47
SHA512ee69bea971be8113107d350cac630369852f87e3513d38be2b9a4f701edf9710aca9e46811bf891c3cef90a318bbe6626b8c0b1e6a9bf7f2dbc88557b47f5e01
-
Filesize
4KB
MD5e5aaaaa3d43b1b9e1ae48c4840a2a45f
SHA1a4e8b91959540a2b43ac47e6d54ee1903bddd553
SHA256ec20f807384bbd8a02827e3b36a2b27a425f01af96982bba6782d01f4aadf981
SHA512d253595eebe7dc006a5d345ba4af06fd7f59de9de1720b9422d2d62cea943856cd94fc28c6c94970dce3f87cc1ce8a5e91ca80396b8248cc3c2cd5f3662b0e74
-
Filesize
4KB
MD5735229845b0f4da958858d36595be1fa
SHA16156b2616d3098fe796d6339f7aa5e9d841ff356
SHA25657fbbafd507b1462e51ae474d302ad8d75a3f1fb8cda1cc9d2265766d9c14e28
SHA5127649221f225b57bb2ac397d95ec41056d0652cd61cb32e67e3412b8c8557347cd492c367fc7827d09b609312b41cedaf896df95206f247e9049db543877e4224
-
Filesize
4KB
MD5fdc8ad6e1da8f37004591581163876e4
SHA18dc7e87e321de8461120e3f127c24f89c3a16bd7
SHA256fb4a6e936d6f25125983c8da4bd1aefe7206b18bed6dc3bd57d8c3bc823394af
SHA5125c90403507fc1b642424af2445ccbc329c32bf38eb49adc40879749396c608e265522925d4caf8a7e5834708be638d7fdb24e2081ce736cd964cadeba6f4ead2
-
Filesize
2KB
MD552967a4cfc743203819fc0de12defcc1
SHA1ed45be1b5bfb7f0f05dd9c2f1dd03172f1e85649
SHA2567224846e2eeebb17ec177a55a26d93c9b4d4727770da01c1806be5575c241b02
SHA512bf06df623f6a3cf980d5e9e726dedf68f9caa16c77d24c28487bc190b789a729573d507c155f2d0852356e7c77e4008805cba276841354a5a0aa36337359367a
-
Filesize
15KB
MD5feb6af7dc603690cf15888c4a78e93ad
SHA1f4cd694748a3b1f9e757fe543bf60bab0bf31cdc
SHA2563070e9ae3fc91c3ebae11b3b7be5263a150a16f998fdbf0b031316ac2c1225b2
SHA51294f19d57bc1e26e6f72071999ac9547e0a8c85a411f698777eb0696a8f72c090dd22fae4c9601f9d9d98c6bdf354ba0d311fe53fc5c986d3016e7e6bc15ff416
-
Filesize
287KB
MD53bb2f8696b72597e04dc0c98e5439c4c
SHA15015529f458e0c53bf77b134e9d012e0ed6d0777
SHA256ca4ed4d498a4cf734377f6b1e007164ae5bcf7ae84f4d0dccaaf57b8acdcb6b9
SHA5129d0ea0bbd758f0dc361bd99b197fa20d65939ad6ebfb86f20200a8951db45a05b9b5e1f4cd3ac5e9019b17a570fc733c94bf0bc0b9a04ed92066aeceec3faec7
-
Filesize
268KB
MD5fc94a87a9e4b2350559b0ed000d75ed6
SHA1288c4683a08862ac1cd76c5dfa4b7ae61c152d72
SHA256af693445b82c5fb3d7d662097bc4cdc7d8bb52f09c16d220b64cccca851f5b1d
SHA5126df4b3301c8c348d635946c7dc287c720bfd0195433c12620545dcd9405fa3618c25c4e768e2f6bbdb5e511fa06c324ead543b4c66effe641816d22eeb070d6a
-
Filesize
136KB
MD56d396bccfcd7f6cf76431b9a913bfe1c
SHA12fb4fad9d1af2e4c586718a4f71df21bf3eb865b
SHA25600c7dd507933f05877f148af888cdcb3419e156b5852de6daa559697240ac5b1
SHA5123f727d8c14ad15cf37895d27f783ffe095a996036b3b73a15ebff3580da1904e74d60b58b7f5c6e406382e03f91517f5427f97d6a19fb0433da14770dde2c8ec
-
Filesize
267KB
MD5bb8907b5734c2c7843383597059f808a
SHA12550d3d657360197320607ccda54373e4a632e58
SHA2560625f1ea4b5766fb74940d073c007bd931f7529dd64015ddc399e5567465f15d
SHA512aefb2291479e0fa64de6da64573cd4ae71a57dbad8dda47b72e814561d175746ca68f2b0dcc0d5f753d69d677b1cfd22071c877fc7d104e66a6a0baadd888227
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
7KB
MD5d3ad7e060d7c7930d851d132faffe1f7
SHA11652d40ab3f9dbd7c7938c21f5ddd5ac4fd795bb
SHA256de5494f712fdac15cc75d4db7423c1c27961b85b783eb9241e2d1c5b5798b72d
SHA5125f7af4f46836a08186df04ff08102ea9b2a154e4537e007daea1dc2a22f6a57d68e01be56140df7e7f94d5602e221decdb1f6e8ea60f78071f3051459bfb6bbf
-
Filesize
8KB
MD57901ed8afe47cc28e792f5402d09edb0
SHA15535663f7be0a31444e6e8235d5372982b4064b7
SHA256e66ee5227972bcebad2d95ae8892e3bc9fad3083111a45aca41538afb2489117
SHA512fb39d5fd5c1bf7985d873196f0a65e4eb05430bc8e099a770cfd7a611013cd3c55d9833949903adc9e2f2d132a255482faf093fa00ada7a0dfcebc1def91f055
-
Filesize
12KB
MD53a21e2e0b33cb2bfffb3a00ae2d5d353
SHA19b47c5a523d2d9eb7ec5cd08ec5850f5d1dff290
SHA256bcd2b25b8422a735e97122890eaab307faac66626ef976a8f6d464857ff135c1
SHA512703862ec8debe2747c7a3b35222a2588eacef667b456bd74d109bcd6ffda0a1e5df7b32d9e6a3d89358847913906c088f770b62b81c109e01156184587b830f5
-
Filesize
588KB
MD5274e3de915466d488d283c6fa01642cf
SHA1ef30042cbb8b725e1c43916ba7b0fde79bcdaa1d
SHA256b034ea9a2c97818fa8a58b7545967192815c9ad45e5153da2abba22ca9e98d79
SHA512a9bdc5e00f1bb9b0dd9e67f29614667be688662fa882a4bd7b67054533e767f7a210216eb0d3d3af1a510591aad2b2d9567b7f1c4376db150bc546a3986d3d1b
-
Filesize
1.7MB
MD50ffc6897110a99580534006212245b0b
SHA19bab176fad03208339f7aacf7ca71dff0b15f6cd
SHA2565af3b7724a60640bd15864f3d1a22e7375988d0ab788c95e77ba581dab710c80
SHA51285f6a8abe4207f21752f0e3a52ea8b3067396b549bcde2d6a2801d9dafbed019d3bb68e512864a59549478d39d13e2116fdd8ca7bdefb1623df006ccc6054fc7
-
Filesize
659KB
MD543eda7f1baa6a159f18d164f54c514bb
SHA1dab8437f3cb3e3cc2f6d99005e453cfb666f42b8
SHA2566d01480f50775ef3af9d5ce13596b667c46a195deafe53a4427ad6b04307505b
SHA512674213ae8ba6ac43140c2a6370faadef4ad5c2a9171b24c8a69f8e666b11bf5a35f3e846a847eb9de18dbf3fa6ad1df7effae45ed3f1379fae78c0411f24a76f
-
Filesize
1.2MB
MD54236a2427729c959b2485052ccae232c
SHA1541c10b03dce8c6f807d0a25f67d932af9286777
SHA2565ce9d10108b4b1374d44b538e888f8793eae377972de8addb7c9539e4f5b1553
SHA51266aae74d8b67e43b916158e5a00e9e0b47c9bbe810674f477b95009d9ffbb2b757195ebb18c4b82844055f834df434b6bd4889bb966f24307cbd5764fb42a0d8
-
Filesize
578KB
MD50507febc2c123a4c8247533f991a90f4
SHA1668395220129353975fc8ac9f0f4eae874bb5ac6
SHA256868698d5f9ed14f378e7af94a516d6f23485fc6bd8c6f0a017049fcc797361cc
SHA512b1c174ddc54ce830b82f523ad408cd1205575b494db7069a0fef60db520effadca00725345813166953227c9379d645f912a47b8cff0f3e61a6891ffb94c2f66
-
Filesize
940KB
MD53736bba663817877ee3593c1d430a6a2
SHA11ce1d8cb0aceb3dd9d6213659ece3cfd6ca0eb95
SHA25680bc3b28f4e0210a4e65544d490dc331eb6ee358205b91e428b0eb2ffd578cc6
SHA5122d2ebd71cda5afb12c04746d55328ef672ee92cd1efbc2a74ba442e414b658bd472aea00ae40ab975a30eecb7fcdfe8166b90f3b86f3a24741f2a7fccc5e319b
-
Filesize
671KB
MD5936bea86067393a07b4df54eae4d3dc8
SHA1812f5ef42198c2782f5f12b9c923c3fa6c1b0864
SHA25670c8abb50753794eeeac8cd6556dc67e80cfe59325f771df2c76ab43ab9f47d9
SHA5127d7f3c98bd32e71b4ebf0419d877baf3f1b7ba7d520a2792d0bda0c0f3069970864b60977e7b7593e7af966da3fd296fddc9de12e5ddd4b04c6534a4a0cc4de4
-
Filesize
1.4MB
MD5a26ae344468f0e9d29175948e230f515
SHA167b45b809fd89b9e5851a4742d9e1e0f2a22efe8
SHA256f56472b03bb3ef2524867cd6ae81de0ab00fea49b14e498a506b00c7eb4bb61c
SHA512059eaabef8ac84d5ebcbac58bcb2da6568e4284219a438257396221a13039a4b8e2176bcb6edce713c27dec8028ffd3b1adad90cb7bbc73a2e35073a7db16ba1
-
Filesize
1.8MB
MD5259bea39945581db18e3adace7368fec
SHA1e12b877d630149ffa8671a9a712e960acebf916d
SHA25624b7e851214e424ae5ad674c833494d79958ea685cef560ad46db117d50e0c19
SHA512003403127076f700a831f494b4e03c02073215bc55deec5f5c19af7bad69a37289ab9d11e3c6698eb9ade8af844af57dbcd218e1039e97274e7751fd78a93d7f
-
Filesize
1.4MB
MD5dfb9fe0040794c68ad00ea83b10c4246
SHA146e2ae22224842d5a521671f727e6140d49d7e01
SHA25642046c4efd750560352ec3ec970d4d808f4cb4b172deb7262a85d9fd3ab17750
SHA51283f149510c98f39045c823d6cda3041b07ad7534e8f43d1fd9dded9718a723da1206cc59ec7899e2521b7d33dc526d8d72234ec16a34e6441201d827fab13222
-
Filesize
885KB
MD584eeb55a5bc578974e6637bacd8b4ddd
SHA1384470cab9c4db3235a511b1ba25b21ba76335b7
SHA2562f712cead32b3fc4834ab575f46933339385381c4ea7d6f1abb3a631d06d3e9d
SHA512cbda4896c47b2823f64a4310b3ff2ffc90d405f649ddbd63b504f5762f768e147747ea2de903bb4e3ed105cd0bda9d1ea28d2069d642f14d1c2e67cd29325aa8
-
Filesize
2.0MB
MD537fba0473d4ab2cbfb3050aaf1287efd
SHA1495e384e1e2746c14f59515af31e507c928d7323
SHA256b82b3ad83788753ad8b74823745212a3fab522a365698c8a7c6b0da4f9636d10
SHA51248fcc33d177716aeefe0cdd611442fed4a4144db98967b55557e10bf7487cb37c1957e4453f397a50758e05cefad37efcdca8a9d1dd10d71f153f40211707a88
-
Filesize
661KB
MD50a938575ef35f759d64f3facde580f75
SHA11f581ac2643173bbb05188eaf0cc875f85f9d3b8
SHA2567659bcefb1eaee122facba7f7f6eccd1741736ac82fb8044e060fe636f90ab4e
SHA512bedc4605c7bc9500ce3fa7bc1461f9fe9d9f861f47dc99b9bcee514338ef1558c3f6307529f65faba550beedba23be69e0772bd4a5026c7aec354d82768f1100
-
Filesize
712KB
MD5cb8702cb88c203014d04c90062e31334
SHA1eec05654aa914902102e197b86d02ee1a0eac36f
SHA256a33ec6ecf63e4c028ca4fdf98abd5547626eefd6a7a5298ad17f723cd38cc527
SHA512281dd9122c284b718b9ebc30e41b36803f2d2ad9c46aa5c91a59a373d85d9c121cd2aabb402a9dfc7ee846ccdb943fe244805b7d47154331d59f9657ce4ca994
-
Filesize
584KB
MD56b2be7f27bdfcf9477e11ff79e819966
SHA15a9fc9c57e81af20e8c3e9a66bff015d6b89571d
SHA2563a98af029dce93e853e1ebefa59510886f3a60ba76bef6340c88815b74caac8b
SHA51253f8f002e2ebdb691d8014ca9c7c75b9d0950a9f818bc7140be3853be2b9a82b5d7da655428e182a725071c80c98c68bd4fe098dc2fe0937dffc12781ab71ae2
-
Filesize
1.3MB
MD5194510302826e71f1b34139a462b5bed
SHA1444e897aa715bba5fdbf5d1206d1191d208dbc83
SHA2562ef80fa5d76b4cde80637374eb975c73a7357add6ca74b01fda6e121f27f13d5
SHA5127f3e902eb8b205d661276bcf358cc83b9117b35405c966866cf2555cd5db9419efdae0afa14d9435051ed58f88f547521fab8188f433ba1f61fac59f53b5966a
-
Filesize
772KB
MD590367902e2f6b68b8449b004f5680dbc
SHA1e60d4cd2375109f1ca35f34259d4418e56edeaf4
SHA256b96401c4787bd27d09f87be4e65fb82c2b4a8ac3d4e5c183ecfb981d6ca071ba
SHA5127509decc4e94cf737f14cc6133a7e95a4ebb5b7c7a81ad16ff07ad6c21487be3285905badbadecc368013e00a69566abe99df08d2383cbebc257d22d5f18a6ea
-
Filesize
2.1MB
MD59b9e366257b2029a409e8c073bd9ca5e
SHA1ccd5ba3203e88332536d24140baabfaa34ba5c7d
SHA2560e401273fff139193f412b1c92d887a6cc06449eb84b3cf65280ff90b29eda0e
SHA51203841c6048aa424e3911c149c2efd51e2c6513fe8b279b6f7af9fef3d660da590a868d6620c87aa7a1d97d1059c3155b856d3efbdf6c010992481c6bc3a802bc
-
Filesize
40B
MD5d2fbffbdedf5849cc29340ca0e6ea5f7
SHA1b15432d75827aebac414008bb69841e5c890b4a6
SHA25693c9e06f21a86a204d4214bc6f3980ed3eb2251465b94788dca2f4c60975fbc5
SHA5123a554fc6035aec077626485987905ad7adb2c5da2d74ab46486b6bde7f13ca997f8f55708e64583980083442765a22f4ad4e95472cd44833b12d5a6af69a200e
-
Filesize
1.3MB
MD5b3823a7484544c0c51820ca5a9d8bbc1
SHA16a7ce4c0337c9444c12a31f1595f8933fea46794
SHA256f9c056f12a2d3acefdf626b3d014a3b04d15ac1b4cf4666a8d8a747048fb582c
SHA512c27fb70869514e1592d56ccafc1f7c3404207750c6b44deb7d9dfc6183b9792773dcb45ba25ac73c07cc1a372e2c187266120756211bbe91fa5a1d04f30fc06d
-
Filesize
877KB
MD5f9ef422292c0bd6a700ece36913219a1
SHA1a1baa23dd10761e333b325119e0f0791c70f2f92
SHA25614b832ae49b52f37257de823204772b0a032f67fd5d505fb5aba6ac9b25f36ba
SHA512cc9bf9d19ff3a1f623ff186015a31ab65f84babf84c874765379f78176fbbbf9e574005fd6e27adcfc075ce67ad9e01fc819825f157f19369305860c107a69af
-
Filesize
635KB
MD57f95700cfb52e06319df44994f1e2fb4
SHA16f430c06810adae435ba318c2a8435b3449013d3
SHA2566b506e6ae25c3e5c2fcbeeb856cdb43557af2299f032476d40e0c7f2e3acae68
SHA512b2ed9c7cbe18398df927f86f382e8d0565ff62d715a79742e34c71eb195cbfae460b20f1c1337ff64d0534921ad6336c1254eff9075f1668e439a9d0c66c8559