Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 19:38
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe
-
Size
5.5MB
-
MD5
7e79b0ac6f31bd5e3345ab3d92f89264
-
SHA1
f1c5152b556560f62c090f22fde95530c51da7d7
-
SHA256
b343ecb91b7e5442f71476849ca1c4a1b74ee3e81257151c454b798c78f6e12c
-
SHA512
6ff1ab874da7e42100400f61ea7dbb2837828b8d96a71cdfb8631b93421ba5502635d273e74e5651ab58baa9bce68b60b5eea5a7b42a90ffac3c661bceca5ef5
-
SSDEEP
49152:/EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfk:7AI5pAdVJn9tbnR1VgBVmKXvYCp3nyG
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 4704 alg.exe 1184 DiagnosticsHub.StandardCollector.Service.exe 2860 fxssvc.exe 2812 elevation_service.exe 4148 elevation_service.exe 3832 maintenanceservice.exe 1292 msdtc.exe 4608 OSE.EXE 3964 PerceptionSimulationService.exe 2020 perfhost.exe 3096 locator.exe 852 SensorDataService.exe 116 snmptrap.exe 4532 spectrum.exe 212 ssh-agent.exe 3272 TieringEngineService.exe 2860 AgentService.exe 3740 vds.exe 4376 vssvc.exe 4512 wbengine.exe 2092 WmiApSrv.exe 1484 SearchIndexer.exe 6128 chrmstp.exe 5856 chrmstp.exe 5224 chrmstp.exe 5848 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\vssvc.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\c095ed47c3a5208d.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000971297d6db0da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000971297d6db0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9afe67c6db0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133613123047971015" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e34ce47c6db0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 3216 chrome.exe 3216 chrome.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 1184 DiagnosticsHub.StandardCollector.Service.exe 1184 DiagnosticsHub.StandardCollector.Service.exe 1184 DiagnosticsHub.StandardCollector.Service.exe 1184 DiagnosticsHub.StandardCollector.Service.exe 1184 DiagnosticsHub.StandardCollector.Service.exe 1184 DiagnosticsHub.StandardCollector.Service.exe 1184 DiagnosticsHub.StandardCollector.Service.exe 5264 chrome.exe 5264 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3216 chrome.exe 3216 chrome.exe 3216 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4844 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe Token: SeTakeOwnershipPrivilege 1108 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe Token: SeAuditPrivilege 2860 fxssvc.exe Token: SeRestorePrivilege 3272 TieringEngineService.exe Token: SeManageVolumePrivilege 3272 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2860 AgentService.exe Token: SeBackupPrivilege 4376 vssvc.exe Token: SeRestorePrivilege 4376 vssvc.exe Token: SeAuditPrivilege 4376 vssvc.exe Token: SeBackupPrivilege 4512 wbengine.exe Token: SeRestorePrivilege 4512 wbengine.exe Token: SeSecurityPrivilege 4512 wbengine.exe Token: 33 1484 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeShutdownPrivilege 3216 chrome.exe Token: SeCreatePagefilePrivilege 3216 chrome.exe Token: SeShutdownPrivilege 3216 chrome.exe Token: SeCreatePagefilePrivilege 3216 chrome.exe Token: SeShutdownPrivilege 3216 chrome.exe Token: SeCreatePagefilePrivilege 3216 chrome.exe Token: SeShutdownPrivilege 3216 chrome.exe Token: SeCreatePagefilePrivilege 3216 chrome.exe Token: SeShutdownPrivilege 3216 chrome.exe Token: SeCreatePagefilePrivilege 3216 chrome.exe Token: SeShutdownPrivilege 3216 chrome.exe Token: SeCreatePagefilePrivilege 3216 chrome.exe Token: SeShutdownPrivilege 3216 chrome.exe Token: SeCreatePagefilePrivilege 3216 chrome.exe Token: SeShutdownPrivilege 3216 chrome.exe Token: SeCreatePagefilePrivilege 3216 chrome.exe Token: SeShutdownPrivilege 3216 chrome.exe Token: SeCreatePagefilePrivilege 3216 chrome.exe Token: SeShutdownPrivilege 3216 chrome.exe Token: SeCreatePagefilePrivilege 3216 chrome.exe Token: SeShutdownPrivilege 3216 chrome.exe Token: SeCreatePagefilePrivilege 3216 chrome.exe Token: SeShutdownPrivilege 3216 chrome.exe Token: SeCreatePagefilePrivilege 3216 chrome.exe Token: SeShutdownPrivilege 3216 chrome.exe Token: SeCreatePagefilePrivilege 3216 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3216 chrome.exe 3216 chrome.exe 3216 chrome.exe 5224 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4844 wrote to memory of 1108 4844 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 93 PID 4844 wrote to memory of 1108 4844 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 93 PID 4844 wrote to memory of 3216 4844 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 94 PID 4844 wrote to memory of 3216 4844 2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe 94 PID 3216 wrote to memory of 4732 3216 chrome.exe 95 PID 3216 wrote to memory of 4732 3216 chrome.exe 95 PID 1484 wrote to memory of 112 1484 SearchIndexer.exe 120 PID 1484 wrote to memory of 112 1484 SearchIndexer.exe 120 PID 1484 wrote to memory of 2192 1484 SearchIndexer.exe 121 PID 1484 wrote to memory of 2192 1484 SearchIndexer.exe 121 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 2156 3216 chrome.exe 122 PID 3216 wrote to memory of 5144 3216 chrome.exe 123 PID 3216 wrote to memory of 5144 3216 chrome.exe 123 PID 3216 wrote to memory of 5180 3216 chrome.exe 124 PID 3216 wrote to memory of 5180 3216 chrome.exe 124 PID 3216 wrote to memory of 5180 3216 chrome.exe 124 PID 3216 wrote to memory of 5180 3216 chrome.exe 124 PID 3216 wrote to memory of 5180 3216 chrome.exe 124 PID 3216 wrote to memory of 5180 3216 chrome.exe 124 PID 3216 wrote to memory of 5180 3216 chrome.exe 124 PID 3216 wrote to memory of 5180 3216 chrome.exe 124 PID 3216 wrote to memory of 5180 3216 chrome.exe 124 PID 3216 wrote to memory of 5180 3216 chrome.exe 124 PID 3216 wrote to memory of 5180 3216 chrome.exe 124 PID 3216 wrote to memory of 5180 3216 chrome.exe 124 PID 3216 wrote to memory of 5180 3216 chrome.exe 124 PID 3216 wrote to memory of 5180 3216 chrome.exe 124 PID 3216 wrote to memory of 5180 3216 chrome.exe 124 PID 3216 wrote to memory of 5180 3216 chrome.exe 124 PID 3216 wrote to memory of 5180 3216 chrome.exe 124 PID 3216 wrote to memory of 5180 3216 chrome.exe 124 PID 3216 wrote to memory of 5180 3216 chrome.exe 124 PID 3216 wrote to memory of 5180 3216 chrome.exe 124 PID 3216 wrote to memory of 5180 3216 chrome.exe 124 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-05-27_7e79b0ac6f31bd5e3345ab3d92f89264_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2a0,0x2d8,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a21cab58,0x7ff9a21cab68,0x7ff9a21cab783⤵PID:4732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:23⤵PID:2156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:83⤵PID:5144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2104 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:83⤵PID:5180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:13⤵PID:5248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:13⤵PID:5292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4228 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:13⤵PID:5664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4420 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:83⤵PID:5780
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4552 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:83⤵PID:5836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4700 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:83⤵PID:5856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4856 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:83⤵PID:5968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:83⤵PID:5960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:83⤵PID:6064
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:6128 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5856
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5224 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5848
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4512 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:83⤵PID:5788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=356 --field-trial-handle=1916,i,5414800312398085855,14051486345969911373,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5264
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:4704
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1184
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3184
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2812
-
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4148
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3832
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1292
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4608
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3964
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2020
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3096
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:852
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:116
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4532
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:212
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5088
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3272
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3740
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2092
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:112
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:2192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4276 /prefetch:81⤵PID:5364
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD526675adad11a3e4518d752ad432109ad
SHA18c05b6584108179456c3078e21a284c77d75fc18
SHA25600124734b768d823ba9199c7163b1232d1cfff8f1a5bbfb0142f6a9ab6e7dfd8
SHA51277f392d583700951cd59f0b5f352eab124ae02e7ea516b4d30d493550c23aac693d6d529d80d7cf5054f07fe53dc54887d7160eeff16e1b6416b3678421a5893
-
Filesize
797KB
MD53c42615ae8ea635433ff1b5947f4c719
SHA1f826967c12d1ad3c1dae1aaf011469806edf9030
SHA256486e1039353f819e073285f3e9917acb91220b4a78254d3df60a190414a0ddfb
SHA512bab615a6b895a3c739a3fb3cf315ceacb88b4063bbd3c30fa978eabad07ee945f807cc81834d5b3ba18904ad0ff6ac87e7f53a09db2c611fc792f0ce54c5369b
-
Filesize
1.1MB
MD5735142bb8d9b6dc8c8cd987c0e7751d2
SHA1b40a27f094b20ce65fecaef65e356c2a94277ef2
SHA256ca054c7471a9a17c29d2ca7ccd2fd057dfd573ee16c34838ea1fabc03a9aceb3
SHA5120188c7b6827844eb74fe43a7ff4665b9f64ff4b9c67d2c24fbe9a3873ff9b9bfe6263c473217397501178a1ff250439ac760a25700d30d443fe8518d06858b4f
-
Filesize
1.5MB
MD5cae20934191050cf7103657d3ad228d1
SHA19ab6f47999d8b755488aa6b1087747ebf6ebc7e4
SHA256e416978ae03903bf2fdab3af99e3454f29e0585c300953fb233e440d3e06159a
SHA512088952bb0257d71e7b03534b5ef8c9004eee55228278df0ab3238dffde4f419c923b5770a796e1c9d4c8b2e948835d2e24edef6cf8861505a8430f971b4b8c6c
-
Filesize
1.2MB
MD523a3742f87d6cd57789d28f155f10a90
SHA1e380901e394d78937cf65bd3e1a0b957c5161ba6
SHA2567d941244f86968e5f0b6f3e646a130f1e6616e67efc74e555ee3282c3396529d
SHA512b3ae5fab2180a89978ea7373cb3d4336bac403dd2845f2ec5980798a3705461dbb2d75fe4f4f7a55d86d730b0108cfd904c8080baf8b8564c35d119ebc4f1873
-
Filesize
582KB
MD56cfc3bbf6a5049fc9bace217df827fda
SHA19dc666445e50c254f265598c8012346b09340644
SHA256cd9e235e6b7a1e0ce5d7ebc959abe2909d55e390c131186e92b641873a8286a1
SHA512ec9363fff1c61a4356722a7837d3bf3e280d759e9e7ebff9dca29ba3241325d66c12bdc05b50aac66366c3b3a6411dbd55cc4dd095e5712f822f5e00ca41a365
-
Filesize
840KB
MD5be8442e1ff705a64e3cf9f4be9e186ad
SHA187ca59d39451d73387c60b73e1fdc19266d814c2
SHA256b9f96a0fb392ac7e341856026b29492c935f685f4c946f08e1edee4ed165e207
SHA512870fb2f289af0594e0f875be1bb4b292ccc54c2252011058686cd557bb8aa85abca8ec4cfb985d544e29d5d48b22005257a057cbc8c32f9b131719dc107e14fd
-
Filesize
4.6MB
MD5d67813afe8485b03fe3754e552ff3882
SHA1c86b96844b89eac949a939b699478f57985f34be
SHA25690ccb2ffe9603b76894ff70d8f2319e8f3167e9247eb0d32e5dc57d8e3b7bac1
SHA512a36c33bbe71805df9953514d5643fdef17e9585c70c665fce1f1de195170b74a9b5e5691df4ac65126bc6b7d6154f8df27ca5e6758422f5cb8c11846c1b6b94f
-
Filesize
910KB
MD501cfa5cba21eeaabf2c2c53d69765585
SHA1bbafac07b3e24cc2488a1d540a2168b8e525e1d7
SHA2561469cb9524eb627a7ada1dd667bd3a3922ea42dcccd8ea31e7307a0898f0991d
SHA5124e88ac33c75ff4421c1042ce32a8926d364acd859804b874f8f6e9bfb416270af34e3210977767a157bf58959a9acc860afe5940c9ac17f920491e9d041f9d89
-
Filesize
24.0MB
MD564f603b7380fbef206c4e34186990254
SHA12690f5c9340ea1c693b65cb828fa0bb9bbfe4738
SHA256a6cf9da934bcd3b3b8f79b3cfc013c506ca3c86304b6ff0ce11992bfc15aeb0d
SHA512102a473f33389ba1f69f914ff5d7969709c864732183c67d3c55bdf371c32718ffc9d3a615e4950ce31d2bb4dafde1d5529ecf53f9c057a8ff784bebe8745810
-
Filesize
2.7MB
MD513b42c1d92d0bee3193e462c9f487ae4
SHA10a91192f36c22b186010fe5a7f151dbe716aa025
SHA2567e160368652c422a1c4c3d43ed36a3468934c81e2d2f0a87865161b404f41b3b
SHA5123f1460970db568b139bb46f5ad827f7372f31937131d417cc72051c49399d22ffaa6e8adaae605d6e0f8b2f09e88ffb5ab1918628e0ced847396ff1514d112d3
-
Filesize
1.1MB
MD5e6e800b8b8f35de2d1402e9a00f8638b
SHA176441ebd77fae5432283f8459ab1ed81c48d90df
SHA2564311c2dec5074c94eae03925431b956fdd2adf9b00abac91b73efed0189b51e1
SHA512d3f8cae4806ba6db99a53a6226dbfce7c9b01219f6529dcc49b33457635e254962db1928b4e6c325fdecee892e6d98e3c428b57a96d3c4b84a6028039806a569
-
Filesize
805KB
MD5a1b2c5202586c5eefe375e4d8f8a13a7
SHA1c5bb3eed283bd32ae9afeda043d5ddfa07d99917
SHA2564c2dcec6b940fd5d57534df73d2e191c46e68064cf61b3dcd082cb56a36cefa5
SHA512e36bb7144b9143a780977917d419e6c4e9b95b718cf7d3cb256020b3ed5258b77afc0a621ed2a92beec15a61f5c9b54a4f72dece206334681c03e0f3971ad8e2
-
Filesize
656KB
MD53bfe750cf3c1721f3b9d2a4a6d2ebc9e
SHA17103c574740dbda3d9a13138be5dfe27d46919a6
SHA256fa5143d3adf8343e4dec70d7cc12073ae13b26f963c025bb11095c6a1d425636
SHA51229f8bf26e5d78ea6eac397e97436f45041ae6932d8abc6fbfaef397883bf92d65eb4a20313d8b44d9901b90f02baa97a5838e8f3cf9a15e8840c3af95ed40328
-
Filesize
5.4MB
MD51e2c675dd4dd66f044edd8d66ba3593c
SHA1ddc78a32b9faada12dfe445a7f0a6eed48613f04
SHA256b72b94c18198572d352ab28e51273264473a7d208ffcc6678d0f80dd8847d32a
SHA51219561cc4dc7f149bc6b54f71ad565602d191b44c79c71a40e9993a9a19e55a6e045ced6381d5ebd7352f7833821176680f7378b7b5f83a4cc678a58a6ef20190
-
Filesize
2.2MB
MD541aa47a4dbe9965274ea07db6502caa0
SHA199ed785e2f81c9051f91ac3313f75668826e2e2b
SHA256462bef30e509ed74886cdabe4c09c1c63e4792aa80942f61d5ad9828eae924de
SHA5121aad1a963d992ff8bd36944467857d784f16e57014f7e289349b9db69f7d72d1df0bb0b576d81720e0017efbe7382b1dca63d7f76e86015549c4aa760d749786
-
Filesize
1.5MB
MD561cc4c684a6829dbe351c61258a959e3
SHA1b0cb2855b829be0b608aca894c3b6c9c2ed0152d
SHA256b7e9648665ab390ff11bb52d4a0b654d4a88a49d883c7b5ec3d0565400df045f
SHA5120e12bfde7f8f8d03d1b382a03e5fd0ec4326b8a69449e559df7044ba7bcf1107b350c1dcd971a845fa42055b60eed3596f3cacdfebcde90942b039f25b898ae7
-
Filesize
40B
MD5e646991f9b7863013f4543e5deea2d49
SHA17d3ab1c249b15c5bc5761baef819fa96b043539a
SHA2560cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07
SHA5128b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD5fbcb068fef2ebacd5bf763521a42564d
SHA1e6d14c0e572feeda8c52d6c6ec2f4cda59b15701
SHA25657c362f8a734730477cc142f1ff65c239986a52bb4a32916cabb769af5e5aee3
SHA512dd58d514e82b865b8e7cf970811b74c41b277d910e98e66920379e1b531584e79b9ea30f489da6eafec0952ac237409b95a70efd0a0fec5fa3a6c386a4d55416
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD53553badbcc45e51942724f6abbfbd463
SHA1df1e6aa66d04b53b17bb9905a6744434e5ef854a
SHA256e953881e8e23dbb7150e4cfcfd56fcfd18fc270785a5fa71203a01ad4c020b12
SHA5121c46a54d4f4d3a70bc00c0677b5dcab784d8887457d24c313c92262787a0534b6a95bd16d90d7835b4a334b5944fd88b03d7620b8895c2b8baf4bf93f4bb1fd9
-
Filesize
5KB
MD5ff15f9e1a21dfe00a47debcc53797e0f
SHA1f211e9cb2a8440f4e1bb9acee4f1579f64a74f39
SHA256301d6329154040ace79b50332d63f6cc24f70231a4eeec5dd9d33cc55d5098b6
SHA512b9fa0c4448b734117fe999d1e9b1ee4565e69e1eee2bc5e14230f0d0b598809d4a9384256bea432890eecac9684be993927fc38175229d66c20835faaf6798fc
-
Filesize
2KB
MD5c4d12c24a85b7e1aaf85cad983fe7610
SHA100bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb
SHA2566568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337
SHA5120d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6
-
Filesize
16KB
MD5a3e4f4e25c12f9f2931b0d1393214a37
SHA1a5acbd60e67327a59dabd3b8a2d6d49efba6fb8a
SHA256b56dd9e33f707ce6eea1ca7f626746a30c840930a2301508ced074bfedfa1812
SHA512eac4675492b2381ebdf2889a8c05b73cbe5b5427d482ec572d945e6689b72385b21e02d0022cb4133d97892ebc654f97862de097fd44215e19bedef217110598
-
Filesize
260KB
MD56465ad9e77d63e1a0595ee1fcaf9600e
SHA1700982cefe6f4b1f4fb88e172d40427d5ee71d04
SHA2565258e6db2ee1bc3961b4b63c58914ea6385af413df723935ce8114e1b8f2f4d4
SHA512ea062b3a3cd3513180129e5f2f2271ac3a00b636ef8b0c4261ee2ff05c33dd3112b931e71cfe31ae5ae3e38ca1bf9035c980366423f406d5d619d66d4086d159
-
Filesize
7KB
MD5184564bda13380eb408bace8f7a8abce
SHA15ce9e8d6e643123a8f9a1f591d0f3d7ecfe28314
SHA256a825c20e935f1a2d7979a92e6b74fbc3007623ae40e1abe3766cede8e1331178
SHA512c008d1cfd330a83231e7c15e19fcf3dc1de29919dcbe5ad9c8c70b46e0a4ed3dfcfbe053a15eacd525dd1d635b394d09249cee80fc9d44bccde605c005d46a24
-
Filesize
8KB
MD54453eec7dc92edcf460300ebe614fb73
SHA155857d5d05a1c259fdb0e2dbc1640a866e40e50d
SHA2562c9cf969e1dc853154f827ccb89b2e79a6b4fb22ef682c74a194c13d1edda9fb
SHA512ab3f26d434bfa7561e2782824e37ceb9ac9ee55028eef353afacf5a711a1d9f3c2bd6c6e88e66da143b3893f426078a5f207e032f564a3b9ab22ce0aed7e97b6
-
Filesize
12KB
MD5ff90f8b563733f14f996aa96d82157c4
SHA1c4572a087936dd03ae4ebbc39357292363b663eb
SHA256528670900abf1f3c617e4ef51a6582b19d42e8b492ed00cc73a02cd5efcf5405
SHA51273088e463531cf216dfe7d85884679815d1e5ad33836795c2eb6fb0aa8ff2062760dcfb747e09eee3481f6f023c66d2917b1df103359f5c44955fe3cda03bff3
-
Filesize
588KB
MD584e1d3b0d33c999eaeda06095352c8a1
SHA17cdb6bd23cb2c7ca5a3486e54ebaf50c344cf11e
SHA256e5ed1b2d129c2f5fdbc4b57cdcfcde90d759340c16f767b628ac7b5a10b03b88
SHA51270b81367b866c74934ce01f326cb43d0346438f28277f7099830463c0cb80560145b5a8abefe839c5253647cc044946c88303c8c200839864fd6d5d1a414d0f9
-
Filesize
1.7MB
MD5cea21132b4562934559bf9a4ea709536
SHA18727e6ba02ebc7e8698dd704a1134cb071f10e40
SHA256699650af827f6e47eed7b59560572d1668c6b6401688f62af385f9ca1856fd40
SHA5122a68db8b92f52780d6c236386a8aac7b21ab25b370c1c2a1d7d106f13a9f236ea15444d13244224254a7d3d79bb30107978babaa0c5838da5a400c43d812dd52
-
Filesize
659KB
MD51c0902a4d7c70df9e99a2e70680c0891
SHA19c47521e4142b7fb322169c5fc1c5c4c915d120d
SHA25680579be169dddcd812553e60e529c4aaa4aa20c6fc04d9a44d0def4c8e70180b
SHA51277156a1a7e48c7d18d047a0d03a0973efcd043dec44c583b44c7d54ddc14abac4edcec89077c395bd35130267f3a3d2c50d1d91c1d579c1051820308459aebd7
-
Filesize
1.2MB
MD5efde2bd816b68857b2f9d0c0951bca98
SHA141c0d0b8dabf1b660afdb1e477c49550b219750f
SHA25687d7193b7f1a1593dac06dec158dcf931cc05cfa6d9c49126b0105184e8c8a6a
SHA5121cd3fc84c7e8111d911d6410e301c005f9c0585aaa3ac521e7bb8aa50e868db11714ed85289ff4b259a37011dac8819b9a082437600c5611ee3cced57f43a754
-
Filesize
578KB
MD5d3b5cb0f37689128f755d9b52dc6558b
SHA1107115c8bb127283f0ae4f758d90deeef00b9399
SHA25699efe08009368f906abf5fe7a25e6660002424c0362123e335e5802845441e8a
SHA512cfd9d17be7d5d83848a5f214237fba1bed1ba0efed78c1209c8ba9e257a3de065a6bbed778f3f6e344a5db3bbec1fbd9c577a8b9d569b0eef54379fa0a9ac515
-
Filesize
940KB
MD5db7df2fca68a636aba3684443f568e1c
SHA111a8d3da94f15db94704d4ef016421ea8be27191
SHA256aa24bd45c55956390fb7f7952c7ae848a47cb1825153748ba45a195af5f0f474
SHA512b3a8b2183f9f2cdd58fe9937d52466282e4aaba9ff3931580dba6f677aaf3ad19b1d40c1b3af32e3196dc8b732caaedf21e57712d3c192c41deb81db42e87001
-
Filesize
671KB
MD5a106a0cceab8311717fcca580036865b
SHA10f95daf498b10364d7a753d25e06ea701f2cbfef
SHA256e09151d78e6033bcfa5ee7d992dceb450cf7d9381c3bd7138cb8a34525185477
SHA512a2e0b25e3015a511587b51592e4b067e570caf663947c0a57cdc2483ea7ba0d2e94aa64278623d22e6268ec2cd0693433ff7d257f61f9d34ea8a924c38c8784f
-
Filesize
1.4MB
MD58ee171bc1ca29041c3817aa6185d4501
SHA154b0d44449d12ae5c8b4736638ef59cba001072f
SHA256e43158b43efba142fa3c6238607945c879a6db3f9c444b6ba5dc64390f69c2b2
SHA512c68a40dabe43835c9c8205c4f9101f01d7d1b9aefcf4e07dd8344b1ff6416c57dc327289ccbda162b02166a0a62b72fd7043e32940427c504aa0adb846e6f05f
-
Filesize
1.8MB
MD5c6ad5938bcf1159de0ffa28fe47b42df
SHA15a93b90d58ae4d0f577df6553ad3dc6fc0867e60
SHA25698aa238836af922f8eae3ed6c1fe310c2c3edb73488c1e0ca4538fec8c14e777
SHA51258652d5b04174837390427bcdaa4994581eb4ee19d7d0075435d9ede98294520d06706938bad21cbb3a18417739acbf521adc1581360c6b4edcfb089c9f9148b
-
Filesize
1.4MB
MD52208ebcc2b1006932f85a331f30c8c19
SHA1386c1328d4a4435e04324d0bcaf5cfb437014a1c
SHA2563b84089637630f06a99515ad27a59749aea00aac9a0b99ddad7195c35d369150
SHA512b441a5cbdf12ab9def06bea97b84e1131dd46d4f24c9ef2b787747a05b51b065b33eec5005a8e7e2d0412de4db662355eb1e75fc3d146bb7730c258f8bd48d9f
-
Filesize
885KB
MD5bd2a5079ad423ea984892c46a0ca2a2e
SHA1110d67981a39e911b4533f9a90c055d7f2f65c6d
SHA25676bf35ab3fda396f2dfb83e650f0c7a59a53d30731815e7a4b641e68f1b3c597
SHA512bccdf91f4ca018233047868652715d4fba23acd03f8a93e0aabf5d6a69f1e0c8f7fb54f8621dc44249dbf2ebc468cb66035cb52847a7dced570fd9cba7767669
-
Filesize
2.0MB
MD59228bc7bdf3ecb690991019688dd99fb
SHA132807082d5ca942799d9167e93f3434617c2f9c2
SHA2561e794bc04392f87dbfbf93fd2037fdcfd79077dbb2c8aea5e0988bca4fb7ce80
SHA512a26f781f3ae49d7064005daab530d9a4f91a3412943a71a7002808042e57eb1064e40a0c0646576a71423b1318beff409307c86e0be9a928bf2d5830ac7d6aa1
-
Filesize
661KB
MD5f4fe0c57b058f6052e820e83deecbd4e
SHA1862d94207cfd33cc767e635d072054fd1e970f6f
SHA25660727af71255a1997b72ac5db2a1ea3b0d79e76f17dc38416571d79513d41537
SHA5126f721e2afc63e1e18bf83daa2a92c3383c69899d98ff7d4022e829453ab4a4ab6fab37e4096ccbb43755a5623ce67c08752a8a46f803738ce58ee667b6870cb3
-
Filesize
712KB
MD5ff5f3bdcc4c665e7d2174d17431cbe91
SHA1bc7c9519555871bc2d491cc28263c7a560a72e4d
SHA256286c281674c392eeed046f964d97d8742b25ad9a515ba1d5d099e1615f6e6323
SHA51222d5714ee30d636d5100262de4a1dea62ccdb9caed3c3ccd9258ee2f007c3845a71389fe4eb54a2eedb3a3878cb4b2aae532c768f132e8a713feb42dcd5202ba
-
Filesize
584KB
MD5c65b879694226bec1ecb69073c76412c
SHA18e85e02bd97cfbc5c5d045a7103cad02e7c9703b
SHA256ea103ade4637100541f0f10986fae72e78306ae89e665ef6d5070a3a473bea50
SHA51264a83159123998240e409c7c2ae3a45fe38e6ea9a0717f0a9f733c3f04f1fd59068e8ca18cf5bac4e8c2173e29f9b0e5f73df12c4216c7fb5e946f8bbefd44b9
-
Filesize
1.3MB
MD5a4086204ba1356b1e63a8cae4c623226
SHA1ea603540ea9a704db133b852166069e12c712d9d
SHA256ae0c48c17dc6ed5b39fd7bb76a22a27d5220bddf279dcf84f240dec9cbd849b7
SHA512a7a5176a5cd9baf0f72cbbe83939656b7f0cb71cb83138cdced741c2bde7d84bb488930d26ad3c4f0a7c01522d99bbda599391f9c8919d2ad796e07b91ec1476
-
Filesize
772KB
MD5ebe737ccb37c4129b5fd6b41d795e6c0
SHA136aa4c16a3cc3f96f9ad862036786854c0be7ffe
SHA25612681c2446f3d9c5655b4e71c131d808b55fdb441a94226ee8cf977f903342d7
SHA512a7d9ad5306316277f70aa6047c9005b266a7f30855ca024771127225faf1dd439d75b8fc96763d570bfcce7ff81cbe28fcd6017effdbdd74050ccbd9861a499d
-
Filesize
2.1MB
MD55c20540a66e64b2f4540b9c8b7a56deb
SHA16b2b65c1f457d2f22611743244c5fdf9d2600cee
SHA2561684dadc8f183641e51bd8dadbf60626f773bd6405ac903ee8e1806fec4d3293
SHA51232ec591f5a76e30d57759678e939c2a45f2ffc80707b362a910e6d8d238cf2abfaaaa5cdb103c10008e8b19bf63ed6eda5f1ba82e464c76c5ca1b8ba1b215f16
-
Filesize
40B
MD5de12892063f81f60b11c0497ec332fa7
SHA1ccfa0530f55d277c3fe6d75260088ae08d5b7616
SHA256afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae
SHA512441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca
-
Filesize
1.3MB
MD51b4f368e2b244f511676310a64500097
SHA1152d835684d927ef119a31678e6e52858745ba8d
SHA256e392819831ddca048e034686993376e91a9b27455e605e09e6562b639283d5a9
SHA512e15a7f78a2ffaf47c65666b2910de988867046b3324f094600e1bc488339097c2be0543d4c4fc96e790fffbd426f134509ee3f59be13f199db98935c532c1f26
-
Filesize
877KB
MD57baba8d9b1caabe0078b327fccfb5934
SHA10980bca7acfb80e7d91390850688e6d41812fe4e
SHA256ce2dabb60b4e6a726e8d51a618c848e7f70dee94bdd72299f40a90fac3c5d657
SHA5123b033f2ac37c099aa2a359c15597edb48e5bae49c65b67187ef3becd8963ebcf7b9218fbdf9161502395c61a59816b257c2266d6d933b6bc30bf7e829fb26af2
-
Filesize
635KB
MD56700f4341b1f832d45e72a6f8753e0d5
SHA180c97242589126400ea2b08a5bca52edd7912ce4
SHA2569f371cef3c96b48e751eb2267c066e92099d847433374e57a8883d8d16aeb1d6
SHA512063bae921b85ffdd5cbc61a4199070fc36435c7a4d9888bc03a02c0694899f0e34b56a90c4d94b52cfed1411fbd234fead5d720ad5f79920914be6000b08d129