Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 07:12
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe
-
Size
5.5MB
-
MD5
232351465b08f58d9841106f7040610f
-
SHA1
8c9424c2dac3358faa5882b0b60ef3e41711d912
-
SHA256
10531d56d00accc17e5a514adaaf2ccbf6063544880fdb09de715e01db2496c8
-
SHA512
9742098d111254aabb155b7b454f8a8badb5c541958bf74e05e56eb7ffd05db4f99e4d466f74029c158aad1dd71c3962966cb2a3e123950bfc7adba265a3c795
-
SSDEEP
49152:LEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGfD:XAI5pAdV9n9tbnR1VgBVmxKYpfg
Malware Config
Signatures
-
Executes dropped EXE 21 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 3856 alg.exe 1688 DiagnosticsHub.StandardCollector.Service.exe 4116 fxssvc.exe 4296 elevation_service.exe 4768 maintenanceservice.exe 5024 msdtc.exe 1516 OSE.EXE 3740 PerceptionSimulationService.exe 5184 perfhost.exe 5616 locator.exe 5708 SensorDataService.exe 5956 snmptrap.exe 6116 spectrum.exe 6032 ssh-agent.exe 5856 TieringEngineService.exe 5948 AgentService.exe 5248 vds.exe 5352 vssvc.exe 5548 wbengine.exe 6024 WmiApSrv.exe 4624 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exealg.exe2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\system32\locator.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\8670dc90b3e2edcd.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exealg.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exemsdtc.exealg.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exechrome.exefxssvc.exedescription ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f0fe746f3b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7177949f3b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006451b249f3b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6fd7948f3b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4086347f3b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
chrome.exe2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exechrome.exepid Process 1340 chrome.exe 1340 chrome.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 1420 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 6592 chrome.exe 6592 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 676 676 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
chrome.exepid Process 1340 chrome.exe 1340 chrome.exe 1340 chrome.exe 1340 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exechrome.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid Process Token: SeTakeOwnershipPrivilege 824 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe Token: SeShutdownPrivilege 1340 chrome.exe Token: SeCreatePagefilePrivilege 1340 chrome.exe Token: SeShutdownPrivilege 1340 chrome.exe Token: SeCreatePagefilePrivilege 1340 chrome.exe Token: SeShutdownPrivilege 1340 chrome.exe Token: SeCreatePagefilePrivilege 1340 chrome.exe Token: SeAuditPrivilege 4116 fxssvc.exe Token: SeShutdownPrivilege 1340 chrome.exe Token: SeCreatePagefilePrivilege 1340 chrome.exe Token: SeShutdownPrivilege 1340 chrome.exe Token: SeCreatePagefilePrivilege 1340 chrome.exe Token: SeShutdownPrivilege 1340 chrome.exe Token: SeCreatePagefilePrivilege 1340 chrome.exe Token: SeShutdownPrivilege 1340 chrome.exe Token: SeCreatePagefilePrivilege 1340 chrome.exe Token: SeShutdownPrivilege 1340 chrome.exe Token: SeCreatePagefilePrivilege 1340 chrome.exe Token: SeShutdownPrivilege 1340 chrome.exe Token: SeCreatePagefilePrivilege 1340 chrome.exe Token: SeShutdownPrivilege 1340 chrome.exe Token: SeCreatePagefilePrivilege 1340 chrome.exe Token: SeShutdownPrivilege 1340 chrome.exe Token: SeCreatePagefilePrivilege 1340 chrome.exe Token: SeShutdownPrivilege 1340 chrome.exe Token: SeCreatePagefilePrivilege 1340 chrome.exe Token: SeRestorePrivilege 5856 TieringEngineService.exe Token: SeManageVolumePrivilege 5856 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5948 AgentService.exe Token: SeShutdownPrivilege 1340 chrome.exe Token: SeCreatePagefilePrivilege 1340 chrome.exe Token: SeShutdownPrivilege 1340 chrome.exe Token: SeCreatePagefilePrivilege 1340 chrome.exe Token: SeBackupPrivilege 5352 vssvc.exe Token: SeRestorePrivilege 5352 vssvc.exe Token: SeAuditPrivilege 5352 vssvc.exe Token: SeShutdownPrivilege 1340 chrome.exe Token: SeCreatePagefilePrivilege 1340 chrome.exe Token: SeBackupPrivilege 5548 wbengine.exe Token: SeRestorePrivilege 5548 wbengine.exe Token: SeSecurityPrivilege 5548 wbengine.exe Token: SeShutdownPrivilege 1340 chrome.exe Token: SeCreatePagefilePrivilege 1340 chrome.exe Token: SeShutdownPrivilege 1340 chrome.exe Token: SeCreatePagefilePrivilege 1340 chrome.exe Token: SeShutdownPrivilege 1340 chrome.exe Token: SeCreatePagefilePrivilege 1340 chrome.exe Token: SeShutdownPrivilege 1340 chrome.exe Token: SeCreatePagefilePrivilege 1340 chrome.exe Token: 33 4624 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4624 SearchIndexer.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
chrome.exepid Process 1340 chrome.exe 1340 chrome.exe 1340 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exechrome.exedescription pid Process procid_target PID 824 wrote to memory of 1420 824 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 90 PID 824 wrote to memory of 1420 824 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 90 PID 824 wrote to memory of 1340 824 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 91 PID 824 wrote to memory of 1340 824 2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe 91 PID 1340 wrote to memory of 5032 1340 chrome.exe 92 PID 1340 wrote to memory of 5032 1340 chrome.exe 92 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 876 1340 chrome.exe 97 PID 1340 wrote to memory of 3772 1340 chrome.exe 98 PID 1340 wrote to memory of 3772 1340 chrome.exe 98 PID 1340 wrote to memory of 1900 1340 chrome.exe 99 PID 1340 wrote to memory of 1900 1340 chrome.exe 99 PID 1340 wrote to memory of 1900 1340 chrome.exe 99 PID 1340 wrote to memory of 1900 1340 chrome.exe 99 PID 1340 wrote to memory of 1900 1340 chrome.exe 99 PID 1340 wrote to memory of 1900 1340 chrome.exe 99 PID 1340 wrote to memory of 1900 1340 chrome.exe 99 PID 1340 wrote to memory of 1900 1340 chrome.exe 99 PID 1340 wrote to memory of 1900 1340 chrome.exe 99 PID 1340 wrote to memory of 1900 1340 chrome.exe 99 PID 1340 wrote to memory of 1900 1340 chrome.exe 99 PID 1340 wrote to memory of 1900 1340 chrome.exe 99 PID 1340 wrote to memory of 1900 1340 chrome.exe 99 PID 1340 wrote to memory of 1900 1340 chrome.exe 99 PID 1340 wrote to memory of 1900 1340 chrome.exe 99 PID 1340 wrote to memory of 1900 1340 chrome.exe 99 PID 1340 wrote to memory of 1900 1340 chrome.exe 99 PID 1340 wrote to memory of 1900 1340 chrome.exe 99 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Users\Admin\AppData\Local\Temp\2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_232351465b08f58d9841106f7040610f_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2d4,0x2f4,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe6e939758,0x7ffe6e939768,0x7ffe6e9397783⤵PID:5032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1732,i,16798394474430223541,9668740592244180821,131072 /prefetch:23⤵PID:876
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1732,i,16798394474430223541,9668740592244180821,131072 /prefetch:83⤵PID:3772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1732,i,16798394474430223541,9668740592244180821,131072 /prefetch:83⤵PID:1900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1732,i,16798394474430223541,9668740592244180821,131072 /prefetch:13⤵PID:924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3228 --field-trial-handle=1732,i,16798394474430223541,9668740592244180821,131072 /prefetch:13⤵PID:404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4356 --field-trial-handle=1732,i,16798394474430223541,9668740592244180821,131072 /prefetch:83⤵PID:4624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4464 --field-trial-handle=1732,i,16798394474430223541,9668740592244180821,131072 /prefetch:83⤵PID:832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4672 --field-trial-handle=1732,i,16798394474430223541,9668740592244180821,131072 /prefetch:13⤵PID:2136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4668 --field-trial-handle=1732,i,16798394474430223541,9668740592244180821,131072 /prefetch:83⤵PID:4420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 --field-trial-handle=1732,i,16798394474430223541,9668740592244180821,131072 /prefetch:83⤵PID:3580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5328 --field-trial-handle=1732,i,16798394474430223541,9668740592244180821,131072 /prefetch:83⤵PID:4116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 --field-trial-handle=1732,i,16798394474430223541,9668740592244180821,131072 /prefetch:83⤵PID:5396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4804 --field-trial-handle=1732,i,16798394474430223541,9668740592244180821,131072 /prefetch:83⤵PID:5524
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:5608
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff677c67688,0x7ff677c67698,0x7ff677c676a84⤵PID:5724
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵PID:5936
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff677c67688,0x7ff677c67698,0x7ff677c676a85⤵PID:5968
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 --field-trial-handle=1732,i,16798394474430223541,9668740592244180821,131072 /prefetch:83⤵PID:5756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1732,i,16798394474430223541,9668740592244180821,131072 /prefetch:83⤵PID:5768
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5504 --field-trial-handle=1732,i,16798394474430223541,9668740592244180821,131072 /prefetch:83⤵PID:6104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4824 --field-trial-handle=1732,i,16798394474430223541,9668740592244180821,131072 /prefetch:83⤵PID:5764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4804 --field-trial-handle=1732,i,16798394474430223541,9668740592244180821,131072 /prefetch:13⤵PID:6536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1732,i,16798394474430223541,9668740592244180821,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:6592
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3856
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1688
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3632
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4116
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2296
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4296
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4768
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5024
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1516
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3740
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:5184
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:5616
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5708
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5956
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:6116
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:6032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:6112
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5856
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5948
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5248
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5352
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5548
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:6024
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵PID:6104
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4624 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5656
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3560 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵PID:6340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5dfe3d76bab9f2be9b3dd80682d12d8c3
SHA17bd0405b97eeed753b954829b2ac3353c9012754
SHA256611eebaea04ebea317e24f87003b6101b18bf49a42f091ab6b57eefaf68ff083
SHA51208515ef8de69b1375713ceff40c49b19fd79cf14656dc04ff1bd1e56271e3374c0e5a85e99a03c85fe4ba83323b07dc655259c42773c86cd293cffdcba58090e
-
Filesize
1.6MB
MD5ef35448b8f55ce2a2395023b9fbdf351
SHA1b4c4d80608b60faf5d92de469c187fe344172362
SHA256ac19fb3b5771a3876d64d6939dfda4d284382461e71cd5ca22e27650240345ef
SHA51284d2743150aa4c612ca5422c50c8b2a380aa934b5c7a828f62a6d9a16736958fef0eecc45df426ffa221a291c45b7053e47cd39aeb582a8a611c83e50380e30b
-
Filesize
2.0MB
MD572160d1cc611bde7a7162bfcac00826a
SHA1ae3a40f621b4b14bb9f6040622d6796c4ff6dd46
SHA256da670747d2d5900e072a7112387029e8a9cfeb1fc6d6f272b5855d22013f3464
SHA5121bde1709a5e5c4207dba90f55249200c931bd29ce7cc09996f6a84e57726ffbbf6a9e99f0f0b64fe56a9a926e0215cd35a83b62da265f0f5fa79c08006feb16d
-
Filesize
1.5MB
MD51ba1cc447f14ba2e86ca662d047e9846
SHA14f1da9cbf7d64b09f02d1c36dfa36542c34b16ba
SHA256b868da3c29fdcc420ca64ed56a8bd896b4788882a4d861936d399eca7baf5897
SHA5122c5e6fc633ba5a73adacf9feae6ecf0eed43c5a91f1d359cee0623fccb9dca04497ff4a6627383f21dfcc6bcb7dddeccace38427f11ba9e0f7d3cc4fc0de738a
-
Filesize
1.2MB
MD51eec6b70363a43ff314cc96532404141
SHA1ef717f6c97c7aed81a3ba4fee7dfc4458ddbdcc4
SHA25629310b0311f1bc2a93baef50fb74ee5cd999adddceaf960b5d3beb34c4285610
SHA5128f39ea492da3d05daae1af90e4c08b337c2d47b940b3a681d5ab8a04a0a9db3092516f14a78c49864c9ebd35721eec0b0163a5faf1ec48a2a6634017d149cf7a
-
Filesize
1.4MB
MD5d209d4e4b980915f2e012661b9f7e39e
SHA115b5f83f00b2f6aad5e9b5baca19c75181e86fb5
SHA2560ef6268e64d372b83bf5308d6f81f7a7378282d8a55c31d59398ec43407d9952
SHA512ab7996b4ddb7ac82926061e71e1f248bea81aaef353f965d96cf87659491f074db39dd0cd466eab9c74497754f7f860c1d865490e263ec8d98a9ac6f7dcd49b2
-
Filesize
1.7MB
MD5d30b7775fa5f63714648db8857328434
SHA1801bb519a3fda940baf4d8d6f7242c21bf0c602a
SHA25697ff57771c2dd1c4adb348be0e36832b26370403dc77b8c3e589f6d7db1f4784
SHA51260c7554fb385bab436fb298071ebd03457b5c894088fb02c954e3fd75b9e4891b4c7913b54a788f9b3d54415465d122a6027939fae0b6a837c2d349f09342685
-
Filesize
2.7MB
MD5e9e9a034435a66ca7cb2db51c98f8483
SHA1e1f66ea1f78931480d0a9eec6fe5ebecd3416efc
SHA2561cd1585f3aa75fb2ec19dcea8ebf28cce0192a5f6503960a0d78128e0b3e3e17
SHA51259e0fdd16ee4ff3bc8272b0d04e52986dd0e27715c82685bbcba93b63a267d37377bba511bbc9c9408a5cc8e53f4f7dfa2cf7713ba684e6e0ce389c1a9f8e2b4
-
Filesize
1.7MB
MD51432d7231237811fc771b0868d5ce997
SHA15a1003229ec8625090d409fa889a263adde22e7b
SHA2569930a4aeee85049b26cf131df9afbe0e52df84faf2d5f2af57756551234cff7e
SHA512e804dffa073b2230b619188b03d454211d46d4a650e79fb4989fac47afb0985eeabfee85506833eecfc93f7c92f151b8513f5cff4f98195774400e05ad08a93d
-
Filesize
2.1MB
MD530f823b8faf2045f7f0e59f20c7990c3
SHA172c57a293dcf796418c8753160ed30d4afc87190
SHA2564b1b2aa0f73516e0c25aea7b9815ed106b1d80f51c326dcc7611e59316955ff9
SHA5126fd917d10893e141962f1de780949349dcc3dfd41719abebe83d8dbfcc9f7681138e0dbe56e80517e82b09567d7600a8ee79cf9f7e8c4f12672ff6e633547f08
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD511eae1fcb0589cc15d863194231eaa3e
SHA1183b1a022c14cad0ae33c361f99a694ec54960d5
SHA256495d80d35b886bd4cf3c4117cfae8dee4437f48c8761d3ebcfd81d1927608ec7
SHA512cd0f9ebce7b7991c786ce981826edc642f938bbe4fcb6985b37b8bdac139910677cfa1a0d6487dcef6e4e52dc38f8c5c164937c5641969831695e30a0b9d04b4
-
Filesize
40B
MD585cfc13b6779a099d53221876df3b9e0
SHA108becf601c986c2e9f979f9143bbbcb7b48540ed
SHA256bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3
SHA512b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
1KB
MD508d50aab8ff4abce28123adca46f4fae
SHA195ffc2d72d19213fd90d0a5c115022c38fc9edcc
SHA2569fb8f8a2da2c53983d125d1d4cafabc1eae231effbb98ab4e455207b173e811b
SHA51205b3bcddda1fecdbad7948b35e5128eda7ed905ea39cff2d9506b8c929e35467f0153db3b9524bad42f3ab2bfaa3e573457f0e4be909ebcb0281b24f02897b0d
-
Filesize
369B
MD57c2578b790f4f010b96f9e1c26086163
SHA10f8882acabdf6028b41d12095990e0c9cc68d77c
SHA2563e2e865c5d63bdda1e4a9eb38a8185e45fe8eb28cbfdd892fcfa2aec0b6b2719
SHA51248bfca1f674ae9a6a159de8c7dfa4a6e0f931605c7cef9a6b3272807a267d2057f939815e34ca656258c8ff413ece83bbd9b4a733fc2b7945e15e66abf6d6570
-
Filesize
5KB
MD52b562c854a1bc0e19198c90e4b47efc4
SHA160fa752707445377d4ef2d35d71d04edb1a0bd48
SHA25653989d64fd8edb2a96a92e2ff652fc7fcee8ebbbfd14afffb9b94b8d1e5035d7
SHA512c7a40fb55a40cf78c704b6ae36082aa007cbfc9fb9c04f5d99efc530b216bb5cb52408d37a7e1be8ac7eb4e03c12beb956a0951afebf4ec23ca7daf0a842b89d
-
Filesize
2KB
MD504695aadffdaf28b5be826d27d48721a
SHA1ce79df7c80926a86b0e1a922a05bcab16c7620c4
SHA2560bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51
SHA512aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54
-
Filesize
4KB
MD588873a9f064379a8ce55ded9017655ee
SHA11a3bf653ebbd616e132dc44376b1ddf2ebfd3359
SHA2560d53fa064e7c6442d901b6eac1176588e16c07db9887bc4ba12285a24469f569
SHA512d378d85cab9e4298de8f2720f9815f50cca9d4162f76c80f1d7b64feac9dbd46067f5364ad0c5c5cd92362876e9ba9b6e045d316e294f9320ec98267605868ef
-
Filesize
4KB
MD52f959a267dd31e75e880ae615926992c
SHA195d820241f2d346062137c61bd1684558748565a
SHA256eecbcbfe5a7853cbe72b7b8384af49d49971ce1118357ea5d68461acca98e88d
SHA512db68b9ce22ca2aa8bcd18544c820dd31e3f71ccd9c245672527e5c4aeee29a92dc6112301d4a831d2a385251a207e82b2f791f1f564b37cb8744241eea5a3615
-
Filesize
4KB
MD553eedae6d69946cc5d823caddcd61ab0
SHA10f99e77ec8826225d300b1619b8dcd5b3d63ceab
SHA2560f1e253c6b436f693e871d82698b8924c4b664e5d6c32d6a07b70943feea5146
SHA5120b9c84f33cd835c1089eec02880c2284579ad8e11c0a7cc620628664d2e3061c65b06fd30c6fa95ac998ad6c6e4e7b21ec32ed6a62e3eb720bf9b57697899fd9
-
Filesize
4KB
MD574520ae49ffca8b93bc36c361114df4d
SHA1274a5fb1ba084befc3950389ee9a25ba88f68d6c
SHA256138e95b74c918fabe67524ea4d4b29138cbaf1e4c38a3e982e7660bdc5a28758
SHA512db6399a59d8da0687834f2bbb18a22ea8c82af47b8f5525d47627486a9ad28d2e1727a92b448c2c96aa561063a750bf0d6d5ef26a3803635ba478f4d68432eb1
-
Filesize
10KB
MD5cda412266d481f892bc7889cf7151bd5
SHA1fad96c509b245bb89367d92ba7383ffbe824d7ad
SHA2567cf0f90a8dd145b861efdd6edce1d703b0efe13b97fae1dc4fc7504cea09f9f9
SHA512407a8e080d0095e870140c8f6dc2dd8962bc8b497c15244a89cd4f13001d6fbe5e724b97114de40095eb72ef698115722d46125048b42fabb558eeacc55d4e99
-
Filesize
13KB
MD5e465c8b3eba5b4a90f12b1f0d419e104
SHA11ebb40cf7b1544084dbafdd51938782b6d129846
SHA256529a0b3eb8709c617620d0be08733a807e9ab349d23f14e957e3fdf221e8ed80
SHA51237ebff1af94b2d244d70ecfab590eec7c9578d869f45ad3634d68e8fae7169adc1b52c7c1fed06d870d08995eccde2e1e7ea0039571984056d7095c972854fba
-
Filesize
270KB
MD537dfefb7fc0923dd1cdb70725721cdb0
SHA1a4d61b05b6c0eabc15a09e93f8d8e78f8da57814
SHA2568ac97ae218daa106f20a35d84e39555ce364f9be1da014a885df4b150791140a
SHA512eacbf86ff45ee3ab135352f0edc9c40b6b02ee40b5c7b7da2200887eaf25bd126e229c6ff63696de2b989e9a7ac0a256dd7b22d33b91dfb0d848cf7d4bb46d9c
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
4KB
MD5045dbbd585b66901a32a4f8fe9490b84
SHA152e161187ee68ecaffe05a4978d1117d27fb341e
SHA25617334f37cdb8ddb271912023af64b6c9170695b7f53d50b3f1dcedf44f72c866
SHA51221e4b1d7b20933b385cf5f51e71c317696385ec5c3ccee3aea058d28cfb6ab75777beb3def6f7fe0cb431346fc64ad02eef501408000aa4752884bcd504ce607
-
Filesize
6KB
MD5c1ad7e7678e2ba4cb4bbd5ef0237bac3
SHA1546a408b122bf0f1ebbb358b0bb1992858e15ef9
SHA256af05f4aed892461e04730aba96ec311bbc9b9ecdf95adb9e158a2def75122baf
SHA512a746ead6c8187d2b4532f1f19226f8d85c46fed40ae8e6455366df6d3c56ee028fbd88a7a295dfd4d64d46d933e10e1bf36634741613617442364882d5a36523
-
Filesize
88KB
MD52cc86b681f2cd1d9f095584fd3153a61
SHA12a0ac7262fb88908a453bc125c5c3fc72b8d490e
SHA256d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c
SHA51214ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
12KB
MD5628e1b1664628474fb11596720f5e349
SHA1324fdeb19a4d2e4ca16133348910a80809fe2ee9
SHA2560831bb467c24f8e9a40192432de6145995f2334036e138c364ca76cef67ce341
SHA512f5d8fa3f47841266ac182a4ff3f6ad370886507cc7a8d687fc6a41e98909435f2554630a9d4d9cb280c2def1c255710de68020814e4be9835203274a7bedcabc
-
Filesize
1.4MB
MD5f59c5024044785d4c50bba9d6becf5df
SHA1a0c8ddfcf841b0e0cd626b4296a33af2a7595a02
SHA256ad9b02dc8e20030dfec68efe8533995c2d3d716acf8d27d571a8792cadb21bfd
SHA51271d6c33650b3a0482a501c3f3d123d965e112e17bc05392ec7fd457573d71c324f3b2a3b733e1c16ad9fe0e889fd2a729f5f2124326596ee6acac290035f06ea
-
Filesize
1.7MB
MD555f730f008f2953db21f121b5ab4383f
SHA1b85646b8229486c76ef90382f4f603ae6b6c3e69
SHA256bd373270f38823af12eb02f8f90473bf17d53138c29ef3ad0dfd162c39dd90bb
SHA512ac878172cfceab53a24dac106ef6b769587ec818378fadaf0c4e245c49e3a0f6f828bb5779817123b27aea48a8fb087d804baa645e95f5f51648ddfe533e8e49
-
Filesize
1.5MB
MD593ee4b8cafbd70520d9db6d5645c8d0a
SHA18a6c6531c66df0f3c98e3e3e7c74eb991c37cc29
SHA256414ef73c930bb9fb0e238f213599623f47b1e37ea3e4a0a0327e65e1b41190df
SHA5128c8a04b4066106d87222c92ab6d3df055e45da0b464790993d716d441791729040a39eb006db3679ca4f96b92a016db23bae7b67c2fb327c9d44f5b6ff18f55b
-
Filesize
1.2MB
MD55ae72c2c6bf97ac90f9e081086fef8ec
SHA1640b5ee18bcbfa7491300e4f363745c13665829d
SHA2565cd02792f72224a99c7e337cc75aed27658e1b09c37baee5a747d74a8fbbcdf5
SHA512149ecc0fc75ea13aef6b0010be0bb5e3577d67f5bf82c7b11b7b812e5944221d7688d7665a9bf953782fa5645a2fe658582d69944beedb09367cc6040ac0c01d
-
Filesize
1.4MB
MD5de8aeafcbf18214c2c3ab5defb72b899
SHA1e241694c83163d005f44e4f1358dd26239554275
SHA25678af2716e09e53e79cbba174130d82bfcd351e330a2f0ac854f05eb6936f7d1a
SHA512dff2b4f3096b051020ad0f4e4e141ca0c8c24750987eb912b2de99593e22385ef2cb0952c3cc2f12d7280ecd9becc80f547fbe2771b9f7463f91f5f2fe4d2421
-
Filesize
1.8MB
MD520563a6620dfc7dafc281d98ee31c605
SHA1c0ed5010c6aaef465ad320dd1e5e7b8006b6724d
SHA2562cdca5c3a85c28b3fe0235b0ad849a4e43e6b02d2b1fd6d208e6df8363919271
SHA512b23a93f8f56d0dd55a4ddcba909445df73503bfaae39654bf69edb20ea89755e76571a521a213ebf9b2f7831930c47a7e4fd22bfd67958da2c575d454c52781c
-
Filesize
1.5MB
MD53d0ab3a4a9b452474b8a27d28b997022
SHA14dfff12e9167c55488de6ed82e29795a602aa44e
SHA25608f2e2a4add22d9907ceab509b4326d44c9c4f8e9983dfb7deca68bc08035f86
SHA5124fb0f98f1be77d45103e1fca2ce5dc38eb71ee9785da861c877babe66ae474c1119d96364d732e182bb06c9a10e025da6606f2ec59114b9fc06bb1b66b109336
-
Filesize
1.4MB
MD5a8b6e4ec2ba62563d81fc31c44dea27e
SHA13b078e49691a2aef8a935df02b19e54daf1abb25
SHA2565dd5e6458dacd6a9e8d172770b07c3f841953b38dcb563f5f2ae41cb8afb9363
SHA512c60ab1c05ae2a141910ddfa8e92b245fb78fdea0872c657d98efbd3da84543e361efd0e6a9d047e6fcfd48ab266c311b0b2b060c10548fd559e42e1059b5a27f
-
Filesize
1.8MB
MD51b275190b3759196d8d6b4e4c4e1c362
SHA1459419eb885902e67d8dec317f1274f605a5d9f2
SHA256ef4a9f9862e08884d7aebbb3017e35c4a11909e52af2a60861262f12b7e61569
SHA51252d30f1235260a887ac7f60ba3503d6fd416617404fbc821c09c96f2ecc13c2de8c4ef0ae907900bbb523a4807975d19756b6e8270bf3e9ad299f37a716b3379
-
Filesize
1.4MB
MD50ce60b5e414d53eb7e54a4fded126408
SHA1fe014d04dfe08b3493d3f91558362bcb51adec46
SHA256481b294ee6413aac2248839f5ec3f7d7b1fca12f49f25a387d4c10e624c8b857
SHA51297b6a5268ee874b15c7a078d673a91eca780164149106eadc15ff1ef03d5bb09f54d547f59987e555f185d52ff32eaa4b5ba29e0a2e944f6626658d4538036bf
-
Filesize
1.7MB
MD5298dd6a23487822e0658383efebd881f
SHA1e47a750f44e5c438a4c46e28e9bb129f75fa7ba6
SHA256aea493a8ac0a9bdabe4961ac205d59c62efb0e789cd029d520f6832a703c009b
SHA5127a6edb875293e0ac6b5a92b55e09fc30bbafbe285bd4bd09aff5ba785a3065a34b6031f5e5bbbd616294af2bb55cc46cfeeb476482b5088e6f87c0d628819933
-
Filesize
2.0MB
MD565cfeaf1cebd89d47eb9ff97ef7568be
SHA128a83e72ebe20a46345e40d1963f3a1194ecbd6e
SHA256b6efeee58e670e640ba7a26007ab203231bf2d0b46f28e85bf3def0b18590a53
SHA512f576a6fd911be24a0e91eecde58bcaddd2cdd9e8e1a969bc7a5cb67c8b5ae424c3c5eec95918543a073595cb57329471c1db28d1731cc528ef6ed62708fe3dec
-
Filesize
1.5MB
MD5c6d7428ca2f4e6d7bc3a4889ca328aa0
SHA16807e6d6f7c4c29b1f6626cd5a2bee01495f2d0c
SHA2568cf39524ff59e9b63eb81a34c136ce19b555a1b538cc3e3682b7627107887084
SHA512c2e58609dba84e9c87172348eb2590e948eeb2eae1ca3afc00e5003ff2aa6c0487fa196ea245942373fe0fd9c52810a929b5464f313e22410a735583f8613954
-
Filesize
1.6MB
MD5f16a22446fe2dd37130fd45bf736994a
SHA1954c6e77d1eaa25146e0e6a6c8ffa9f76e165bf2
SHA256a48d1830fbf4ad6bf2cad40650eb5cf913e231aeee54ab159d897fefc2bbec90
SHA512db161e596ecc2d295bd0295e59d50db4d888797a01c1dc79e2b9a4ccb4ae8e4e54bd9533976c59f2f309f425cd5d1a1a4c732499581667309735bd63f45b33a8
-
Filesize
1.4MB
MD551daa4e68dcc70fb2876afb57a62bca6
SHA199d5b0491a358f666c1b5a34f0f953028644bad1
SHA2561d9f63a445911f7b05cea7063be158b28c9fccee3cda9cf44223afc7ce4e262b
SHA51255a58d9ca16abbeb6b07e2f3d6cc48df04f60c02a53dcf5ffb959d66ea34ad3025dce19487c9efd005f874fcae0d4ba76f877195f281ded4b58374ed6ce34aa6
-
Filesize
1.3MB
MD50a20cc9e4d57f21b1bb44048f7b45fbb
SHA13cc1e300ffa28627eae57fdc799ef1223b9ee8fc
SHA256f4cf62c65f69fbbd0b1277abdfb8233ea2fc3801e2bb3f2f8185eaa87703c647
SHA512a638cbe13f1ff02ae91bea428323f4a3a8beb81671d3cafad09cef90d212c55944e793f0cfcde1776b6f43c8101ee7e416d75ce19e0d8c06d2513804e4489195
-
Filesize
1.6MB
MD593ca504810501e03d7cce6447ddd761e
SHA1308c8e70b3b574303c6867feedeb450dfd4c0e44
SHA2563ac89bd2edea3d62930c258e2b18723e7dc0f0964f5d72e9776b26251002af49
SHA5127314a71d4ae30616128d33a9c13c50ffb29d4a280d683df365a335bd5f3994e8a92a57d75c1dc30655735332afcdb4d82cb8ee720fffb9243b93cba4ca83dba7
-
Filesize
2.1MB
MD5580539f9948e943c655da39525d2c57d
SHA1ec17b65f024291f1354b62b4edf3f0fa0a1ba8b7
SHA25604de7a68fcaf322b9c2c8a070f281d3385131b7e9c3521958a01755201e726f1
SHA512bc8fcd1a31e4b11fd1fe461db12dee4def934f6b0899662258018159e0221f794e4cd04db96c2385d253499c4cb6613b6283736bf592c1e37fe0e9651c820dc0
-
Filesize
40B
MD50e1a0df5323f02fa141b11070035f203
SHA14662c48107aebe02429f78dc0ab4328f88ea9e8f
SHA256169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7
SHA5125ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5
-
Filesize
1.3MB
MD59074170f5ab4572e7af6e6c613e9328d
SHA1226a807576dddb211871185853c1397de0fa7ff9
SHA256b63d8b8c4bf8b372dc434160d146bcf275078437f87b5d87ef614963ecaf50cd
SHA5127e6904e599d61148a216d09419e7436c012e555dc7a7b83a169b5d0e79acd873ae8f1d433035f5864ca4075f277dadf0a46b55e12d546966368ef54dd4d63ab9
-
Filesize
1.7MB
MD587a7fd031351994abe05b373e84f6e6e
SHA11f437c66da30452db6016ec92c95b79863c89a21
SHA256d49a710d59afd5cb672238328e6a6e84c65eebe7ff7521183ef185749cc4666b
SHA512d0e227e0ef48ed13596ecd60c874d0ccd2bb7acbcbf92355d39451f5c37923929f37c843a5cd40e786dd2aef188441ca32338e008188db940b6c34e23acdc278
-
Filesize
1.5MB
MD56fbfa4d06cfeb41a71f2509fc9ad55cf
SHA170ef27939924f377d7a293f89e836a0d376429b3
SHA256cdf490fe0bb5da0de3cdf7af67f5b3f69241a88b12b759dba68d58b4649483ce
SHA512008a09a6f74b8b5564403ef3f912399260fb7187e9c4f1fee927766ceecac070810e3b524c9d460b5f89f00227f018978422c7df41162573c16512a010b2235f
-
Filesize
5.6MB
MD504082e93aba7954244f37732e4771d13
SHA1023654425a7e4e2391e43c4412b970c6d53aaf05
SHA256b69c16b3f54a6e53f9a37ecbc16553b5732a0ad260e995530a6931fcee0bc566
SHA512452d0b4b2e3eb8d39bfaa6e6183b6f3e62cc02bc7ad840d96f65eaff70fcc4eaef2f70d74a900dd58326b16f1512465beb383074a221758bc41da5e6c22d0841
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e