Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 06:50
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe
-
Size
5.5MB
-
MD5
684fc41687d77328430d84c4456004d3
-
SHA1
cf5aab76002e5fd217f038fb228b73dfaac3aa5c
-
SHA256
6b4343f65e1e0c994d25f76699eb1746ab3857d383fb48d0e8b2bce2b3482661
-
SHA512
d48690e4b21e43442956c564a7dd83c5ce51c43ba28f0503d2cb3f8458eb8a302965c9f83e48139c3d703ceffdcb86cb6ba943e1217008ce69d7d91afa0dd3f9
-
SSDEEP
49152:dEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfk:hAI5pAdVJn9tbnR1VgBVm3EnW6at
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exepid Process 3316 alg.exe 1068 DiagnosticsHub.StandardCollector.Service.exe 2812 fxssvc.exe 4264 elevation_service.exe 1264 elevation_service.exe 4296 maintenanceservice.exe 2912 msdtc.exe 736 OSE.EXE 1564 PerceptionSimulationService.exe 948 perfhost.exe 632 locator.exe 912 SensorDataService.exe 4700 snmptrap.exe 4748 spectrum.exe 4724 ssh-agent.exe 4376 TieringEngineService.exe 4952 AgentService.exe 1796 vds.exe 4692 vssvc.exe 3452 wbengine.exe 1500 WmiApSrv.exe 1928 SearchIndexer.exe 5328 chrmstp.exe 5636 chrmstp.exe 5772 chrmstp.exe 5888 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exealg.exe2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\fa057f54e703f493.bin alg.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exe2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{4EF9C35E-DC0D-40E1-941D-AB9119298CDF}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exemsdtc.exealg.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exeSearchProtocolHost.exeSearchIndexer.exefxssvc.exechrome.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b8f8011f0b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088081a11f0b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6932311f0b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0bb0b11f0b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038cd1e11f0b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133616982592283828" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000710fff13f0b3da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8aa3a14f0b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1702014f0b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe -
Modifies registry class 1 IoCs
Processes:
chrmstp.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
chrome.exe2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exechrome.exepid Process 2572 chrome.exe 2572 chrome.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 2880 chrome.exe 2880 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 648 648 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid Process 2572 chrome.exe 2572 chrome.exe 2572 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exedescription pid Process Token: SeTakeOwnershipPrivilege 4896 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe Token: SeTakeOwnershipPrivilege 2428 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe Token: SeAuditPrivilege 2812 fxssvc.exe Token: SeRestorePrivilege 4376 TieringEngineService.exe Token: SeManageVolumePrivilege 4376 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4952 AgentService.exe Token: SeBackupPrivilege 4692 vssvc.exe Token: SeRestorePrivilege 4692 vssvc.exe Token: SeAuditPrivilege 4692 vssvc.exe Token: SeBackupPrivilege 3452 wbengine.exe Token: SeRestorePrivilege 3452 wbengine.exe Token: SeSecurityPrivilege 3452 wbengine.exe Token: 33 1928 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1928 SearchIndexer.exe Token: SeShutdownPrivilege 2572 chrome.exe Token: SeCreatePagefilePrivilege 2572 chrome.exe Token: SeShutdownPrivilege 2572 chrome.exe Token: SeCreatePagefilePrivilege 2572 chrome.exe Token: SeShutdownPrivilege 2572 chrome.exe Token: SeCreatePagefilePrivilege 2572 chrome.exe Token: SeShutdownPrivilege 2572 chrome.exe Token: SeCreatePagefilePrivilege 2572 chrome.exe Token: SeShutdownPrivilege 2572 chrome.exe Token: SeCreatePagefilePrivilege 2572 chrome.exe Token: SeShutdownPrivilege 2572 chrome.exe Token: SeCreatePagefilePrivilege 2572 chrome.exe Token: SeShutdownPrivilege 2572 chrome.exe Token: SeCreatePagefilePrivilege 2572 chrome.exe Token: SeShutdownPrivilege 2572 chrome.exe Token: SeCreatePagefilePrivilege 2572 chrome.exe Token: SeShutdownPrivilege 2572 chrome.exe Token: SeCreatePagefilePrivilege 2572 chrome.exe Token: SeShutdownPrivilege 2572 chrome.exe Token: SeCreatePagefilePrivilege 2572 chrome.exe Token: SeShutdownPrivilege 2572 chrome.exe Token: SeCreatePagefilePrivilege 2572 chrome.exe Token: SeShutdownPrivilege 2572 chrome.exe Token: SeCreatePagefilePrivilege 2572 chrome.exe Token: SeShutdownPrivilege 2572 chrome.exe Token: SeCreatePagefilePrivilege 2572 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
chrome.exechrmstp.exepid Process 2572 chrome.exe 2572 chrome.exe 2572 chrome.exe 5772 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exechrome.exeSearchIndexer.exedescription pid Process procid_target PID 4896 wrote to memory of 2428 4896 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 82 PID 4896 wrote to memory of 2428 4896 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 82 PID 4896 wrote to memory of 2572 4896 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 84 PID 4896 wrote to memory of 2572 4896 2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe 84 PID 2572 wrote to memory of 5048 2572 chrome.exe 89 PID 2572 wrote to memory of 5048 2572 chrome.exe 89 PID 1928 wrote to memory of 1548 1928 SearchIndexer.exe 113 PID 1928 wrote to memory of 1548 1928 SearchIndexer.exe 113 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 3340 2572 chrome.exe 114 PID 2572 wrote to memory of 716 2572 chrome.exe 115 PID 2572 wrote to memory of 716 2572 chrome.exe 115 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 PID 2572 wrote to memory of 4980 2572 chrome.exe 116 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_684fc41687d77328430d84c4456004d3_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2e0,0x2e4,0x2d0,0x2e8,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdadb9ab58,0x7ffdadb9ab68,0x7ffdadb9ab783⤵PID:5048
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1680,i,9205307817495285943,16531763569903312564,131072 /prefetch:23⤵PID:3340
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1680,i,9205307817495285943,16531763569903312564,131072 /prefetch:83⤵PID:716
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1680,i,9205307817495285943,16531763569903312564,131072 /prefetch:83⤵PID:4980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1680,i,9205307817495285943,16531763569903312564,131072 /prefetch:13⤵PID:1516
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3212 --field-trial-handle=1680,i,9205307817495285943,16531763569903312564,131072 /prefetch:13⤵PID:1568
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4208 --field-trial-handle=1680,i,9205307817495285943,16531763569903312564,131072 /prefetch:13⤵PID:5388
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4504 --field-trial-handle=1680,i,9205307817495285943,16531763569903312564,131072 /prefetch:83⤵PID:5464
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4620 --field-trial-handle=1680,i,9205307817495285943,16531763569903312564,131072 /prefetch:83⤵PID:5476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=1680,i,9205307817495285943,16531763569903312564,131072 /prefetch:83⤵PID:6024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1680,i,9205307817495285943,16531763569903312564,131072 /prefetch:83⤵PID:5244
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5328 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5636
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5772 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5888
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1680,i,9205307817495285943,16531763569903312564,131072 /prefetch:83⤵PID:5504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1020 --field-trial-handle=1680,i,9205307817495285943,16531763569903312564,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2880
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3316
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1068
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1540
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4264
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1264
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4296
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2912
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:736
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1564
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:948
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:632
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:912
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4700
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4748
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4724
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4316
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1796
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4692
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3452
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1500
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1548
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2500
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5ba3cf54893a05c76ef51412fd16dccc1
SHA1eb6d41950966f4258ef0d0dace4bf9a06e72995f
SHA25635aaa13f8f130a7ed799d84273bb5114605cc91651487482335c4603ffa0be77
SHA51244e16700e95188ce99e61f5882b6581c10dd2eaae4800733828f465ae0f533b520dd443182718d2389c2245a8de6dd7f2628b413016d2995f65b1f23f812f209
-
Filesize
797KB
MD56fa466cc4f163913ad894e9fe9682920
SHA146102a4f60d4ff99ac35a17c66b0df57ced0ab63
SHA2560c5ed7268d4a0d4453f722c9379379bba1bdf0df1e14c1f196a70600d348c254
SHA512be36dcecada90731b2344d8106e8e9417730ddbe02e3886f7c95d96a05630465f7455a86f2d8072df4ed2cbe62f524f254776de236b0f1f18c2cf10ca4939ad0
-
Filesize
1.1MB
MD5976650301135db4bdd66d00ac05df072
SHA12f19a59a7d4c51dce5abeefff28c577cf670f39e
SHA256ed6a87c2bdc879e1ff6c122270a125b04419a670211319894a32e26194d1e20d
SHA512f6fcf661df00ad9cbd44693e368d8c5646d5e7fbb2e3ac880c5a6b8dd1a0a9a5222ba1a5b99c05a75bd05398bd8dd12ec4cea90d28b80f660939042cbdea619f
-
Filesize
1.5MB
MD5e58eda79663f89043ad6e6bb85d17ae7
SHA1a7712f8fc6dde6f4f84e65c89cd11a92a2d7f196
SHA256e3b127fc33e354d49f8d46bac686a297f3687636d3ac09afffbb0e49723ae3e2
SHA512513637d887ad97296745efcc948e3b3cad45fa6d1f51cbdbc9134c19a4d725105b0f4dcf32854c3e7664d5e8b5331842ac1c9c9e377515d3b9e38d9d8bc7713f
-
Filesize
1.2MB
MD5ff78d3c20bb7674a7d0f749618de6817
SHA1d5d4771fa1d9831856ea8ca37dbbd985db771dd9
SHA2568f06b1df70c7dcf7cd56c15e644b7189deb378b822a840f93c52a6537868e622
SHA512515a4405a37119469d2d1bdfbed44409efefa11bb671fa9be571bb3e116c40be8cda4868586d41b656304ea7731fa200c3e18e486a8a77e68099b4798d20c9e3
-
Filesize
582KB
MD5fda1bf514a4e2d3ef893d5a4a961aa49
SHA176841bed38653dc53a27861b2bda0a8adf104d8c
SHA25629dc6cc57066daf417629156c15a9cd7872af6e39892240a4dcf73bf398edd5c
SHA512f480d3a8933950df0ed148ac5601e9b75f8e0911dc3aea1342e25b316920975e8abab54639443d2fd7e8cc125fe0796819c89be8aba9a1bdd6869470a0e722f1
-
Filesize
840KB
MD5cd28993d8864a6ed168be594e66e1169
SHA18e09f2b1d5f5651608baec1f05bdf1b221d21416
SHA25620666b987b764efc0e19a5d371acc9fcf5b04bb4ee63375ac12f6a81b3fe17fd
SHA5127f738288558069562ee212b815fb6d94f9194245f67310f50396c4fc8ec2157646b8d0aae0307eb5e67a72a61087f580882e9fe97ce7ef94fd1675e43209eb26
-
Filesize
4.6MB
MD5ea66d11901773063c585e3282db4226e
SHA15515e32d2fe323e8a6c96061ed5f13035bc1bb2b
SHA256872cf03d0d6c4aa428c7caf552e6ebcc4f8838f7d3e19dce868f3674b9d59b13
SHA512131a040ec7002303123c037639298bc2d01e434208015da989f0dc66174392f0a6094713d5239ec25e9ce7a221bff68c03b4379bf1e8a3d2ddd9b6a5517f6b1d
-
Filesize
910KB
MD57f7e2e174f430b851b183c1e17adf9ac
SHA1ec49d4bc2009873c20df85e214b35ee9d1ed351c
SHA256fc4a78a7c6f1b3e9688be53fd7cccbeb62425b4d59d7cfd2dbf3fd1fc70f2268
SHA5126d3a83bd3916e41392306227e6a6963f36b30bdc9d0ca247b1d433c03fbe245c0ed35e1afe94d202113376c8b90f52428b9d36afcc5679bf2ffa0936d2ae4de8
-
Filesize
24.0MB
MD5f020f9963c6d6b7f711b08f3bd17484e
SHA1c44933ec1bd34a96d02e0b0e36080737aa1f3cd4
SHA256f3ae39965ea2ee3263bef4f1d6e6c69cb04788e9d9d517d80f31b6dfc9b126d2
SHA51263bbce4a02ebe5dcd3852d82dfa05486fe69103a57dd475d122a3b83d8c05e7cd7dec1512c277ea57dddede2aa2226f49004b008af3889a9641f0cde9adb10ef
-
Filesize
2.7MB
MD51e6e64ff534a5b6a1642302391b69894
SHA1dc1029fb4a7ef5a295ee9135f87c57a13f4b4e76
SHA2564b46656bddbf3b8f13a8fbfa96fe9dafb823f72ffd7f0ff856195378d36db74c
SHA512de32b8ab1413ae32d54b932d03f3e4d5b1c871b9c35ff6b8f2d2efa87fd4169aafe77283ebd278fd068971883c960902663eb3c79491351a86b1853a0ad682f8
-
Filesize
1.1MB
MD5ce5446c8bfa5333eb92526c36801c3d3
SHA1834c79df7917daaf4a2e2a376d34d8c8a0b55fea
SHA256ce97ea517aec01fcd3ffddbec4bd72aaf2416f6479fa731d4e3741b58c2963f4
SHA512ab3ca7effa762a5562239a9be68cc94f4b528806f4eda7a623bad0c7afc244603a588ddcc664018ebcd7a490a42f6452f916f04ead75ecd6b2994d38e52d4de4
-
Filesize
805KB
MD5d9d25f49c4c9bcc7ca016dd1961aa247
SHA1dad2f65182e5fb630ecb5a7c7349e8e839fe97b3
SHA2567e57e5576527d13945114c2d50f7d35e5f483160b298a2fa01fcd4cbc6ffa44b
SHA512360f4dd2f2ac7ae6ed83482b73f6042f499a3b921b77e97afa225bdd673e27d26d9fea242395e141c0c4befc369a981f02bb88c674770905e2ca9e9254f37795
-
Filesize
656KB
MD54ff05fdd11284e074a88f963541261bf
SHA1a91a35c3a151484786b1d59f526079ea2dc834ef
SHA256dc586ba96e6bb60ac8e8ea9d3e4c2527c750bf6ced95ec495e357d7c10346d1a
SHA512a1e26d05560a9b93003108bd71773a9c13ded2256720cb80f2d10f35088579828890608712ddcce21f94faf24e2d10659c4477dbae77963f4bd2db043848f5d7
-
Filesize
5.4MB
MD5f2f85a57ff60f2b6ab167d012a41a22f
SHA19b88843cfa2035bc52a53f5007b7a82e72f324aa
SHA256caa758e990acee26d0a9bdd6e9ce4593ced9a67ec6ae63a5819e3031debc0703
SHA5123101abd40049bcd4409845346a2b562fd6f0a9554d137d901b20ccc65db896bbd71057211ad6701ff634ca19cea0d726bfb85eeda2652d0cc2ec42543cb5bb96
-
Filesize
2.2MB
MD5364bce6bfe99951b87c1a333169865bc
SHA1a576e7962a3afa5734d1d8d775db532d1c620ca4
SHA256238e642cbd2c4ac27ff1befa183bd5012426b7e2a9b110d709edc1481a89ec1a
SHA5121e1ed32cde7c2fc33e01d01dea0f54ab603c12e55ef0edff979937deb441b8727bbef52b2817e86541b15f3ba3258443034d60e9154623c6b520a8b25dbfa815
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD5abfb1040d601b4ef15a6486bcd78ac7a
SHA16fbaf7fa4c7b2d8a32638cdb9baed3a6c2ca65fa
SHA25631d4d494d7e35b0b63af44b317f4fc6b3a1c5fb58037276e5a58606df1c467a7
SHA51229d52cd86cbb0bc230d2469e0869e0646d7c7e951442297ecf5394e16ab402f3fa2f7382a34572d3fae5d79901919875cebb48ff884430f7b1c85787b241c9a2
-
Filesize
701KB
MD57b0ff6596d3df7bd64acd42b7bd76362
SHA17827ba242a6d56e32061936bd0d30af61d42d7e5
SHA256064df37bc3533d62c5f0f3034b8276934e7ff4045959d348bd0c91184519f1c2
SHA512438b7aec30fd0d66460543f9704a513995de422fb373b4f1b42d0a19afbc909066944505a9e609bbd57d231b3727972c7b65ee771b57be97be18bc48e90bf904
-
Filesize
40B
MD5d0df793c4e281659228b2837846ace2d
SHA1ece0a5b1581f86b175ccbc7822483448ec728077
SHA2564e5ceefae11a45c397cde5c6b725c18d8c63d80d2ce851fa94df1644169eafc9
SHA512400a81d676e5c1e8e64655536b23dbae0a0dd47dc1e87e202e065903396e6a106770cec238093d748b9c71b5859edf097ffff2e088b5b79d6a449754140a52ad
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD5d790dfbf892d8a3c482722e0f0309aa3
SHA1c03bd3e66d6221697c3b3e4a796ca0d353d72c6d
SHA2564b07b34c6f0fb325c60951e747e08ef7cf7add2faad842a5852ac67782ea2a4a
SHA512cd87508f2c474ef74db04e7d7b50a14bbb78861677ea515704c6cae64cc7022d16edfcc30b6c3f5af57ef63e7dc2b1d8fa989f30a31d7099d19221609618aa6e
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD5e367724f35a1eb2d5e26ac44ff6221ea
SHA1de69713a9d69a3ffbaba5942c57b7d5c77263c7e
SHA2564ec53d7a8a1e361e0c710e8a07a1fd2ca11fac7c21c30c0dfba708f4d58b506c
SHA51214e7f4ca2c8397452d2220f64a11d09117c7a736e65ecb8c0cbc8069d665ee98db2c8de745d3ed75c9e83ed41355da515d258b44ade68194794c3a2bdfc3f0cd
-
Filesize
5KB
MD5961c68aeb2513ac8c1f5eb2f558c8d35
SHA1b8bf8a9e9fcb28052690969ff5769df408655bf2
SHA25685c0878596a8bed192683bd3b6e6fdcb61a495b2229dae8ed75e09828f21f3c1
SHA512248cead1c405054f58f178b40777554a99d38a8ea8586859ee5e51b0b6210031d221b73db3155ac0131133c9017f86245c6e6eb15d59fdd9b243e1f917d2346b
-
Filesize
2KB
MD51d0245a0816fd932b1963600bab98460
SHA182d188a3a5fd107ed83000e16e41e0d67eed941b
SHA256b9d8f68c1f5aeadb1748f8efa21c33a4235cca822bfdf19951d296b2f29944f6
SHA512febc999100ab08b73d52fa2a08f7c09cf2281c420762d121150da6cecc922372a9591619163881a5d2956cc20a7bd6d1b5017b6f0575b55ca6baeeaa604632f6
-
Filesize
16KB
MD5a7571121d0e582db62c81fd1f8fe7cc7
SHA1c518d3d86bdfa707da896f4c59af0f52bdb6d995
SHA2567c1c053e8c827668f1f5b6558a55a1bc8830bbff20baf88566cc0377d0cac378
SHA512381a0b36e50211573714e4e10715b54d12bdadd687cdf2b2aaeaad3fa90bc3ab7acba124a24baa4347bd3730e49618c5cc28e305b6be5e5d20ea95d85790bdd7
-
Filesize
261KB
MD521e7660bd62db4576dd19dcd0159bf5c
SHA1e08ae3c7efde0524b630d60d78cdbab68d3e7415
SHA256a387c8e9f816a66ac7d5c6fce30fc9c8dd2af7edcd8fe41a6c7c2d8e55f3fc1e
SHA5124c7431a589c38c109fb0ad849ce4760cabd9dbb0e5dd26c69d10e65ac541064e9a9ace10763b0eaf9a5f6daadfaceedcf786bf3c0052496a3869f0adaa623767
-
Filesize
7KB
MD5a7dbfabb640b5ce1bacae5cfbf777230
SHA18892820d625c38d40796cb04d7dd6bb45b7bc809
SHA25658437780e14032a0bafdd3562f132930d205bb322a7310510c127c312a7ec912
SHA512ca444d494b657d8e50b4a70cbb9388205603ce5b98fda04401b92f16cb6ddfd7584c4abfcc4b838cfbfa5b4e67efe9fb0826472b5f8b491ba9b483d15a043b7d
-
Filesize
8KB
MD51eb6dc7c5af1d74e7d7ba0915934b6ba
SHA1d21c0de3a9132fd5473da304668ae79c7113738a
SHA256417336415738ed32addaf46fb405aa4f00937a678e322565297a50ed1335d799
SHA5123dc5b24773c0b5a6b25bca427ce8e05dc8a71238d3ac159e88751fd666c4cf30587a6c5beb8d18be95cef6cdd06b3b515ae68b8c637cf77635957d79c15cae54
-
Filesize
12KB
MD5c92e3ef4b2e298ca9d488ffdf26dac6b
SHA1ebb6af648a38092417019f3f33a4236171d0cbcf
SHA256309fee7108131b56c9408ac5ae0f6650fadcff6bb50f4add58ac9847fcb817d0
SHA512c0109cc8e84a1a0804929c4155f9876145a084a45447d8da72f71431636e3fe53f5483520c3bbe999cd409cd93e942fa6fe09dcd063b28f815d157e2e9f9a6f8
-
Filesize
588KB
MD5e277d6c0018902c17b58e93fbf2c3fa9
SHA1ee7f2fc0a135c00425af8786ef306dcca6c12678
SHA2563e4bd5d5c44be7490a63db06347ec57efac89629b8302a940acdc2247ff0f69b
SHA512d0b3233cdbcd63e42b7ffd5a1d00ef7555127ba2c29d51a765eb3aa319f692bacc4be2418194fe47148ce16bee4680e1c46a5656cefba3b571be3b74da3fada4
-
Filesize
1.7MB
MD56bc833cda808a1a815fbb936203eb239
SHA1adb458dc858d548051c3dc4dbd9929f76c0fbf8d
SHA25603667e0e6b53e2c8821db46b47c2147d5f34cfd357fa799fba01e746ce4f3675
SHA512d8e3dd173003cc2aeacce1c3f1068ee0596deee1f8577bbb5f82537f23229e9fb9334ef45a3deb4cad3c31b0ef6699e3729b992db26090adb89bab6b5315551b
-
Filesize
659KB
MD533798ad994cfef615c5b016ca122a78e
SHA1c14584122fb034bf2fde90c3ec8f8e4bffdb1e9b
SHA256f75c6f3b2d5ea4c43db5f965e1995473329a0ef8670f2631c9297139a18f7efb
SHA512abb3e1bea739d44c0102c1579eeed67f1e829c85102a22200ad1c36f0beb5557e72f209985ee2e690ca63e81f31947ba92631c34b1e9f25c56ef6b16958becfb
-
Filesize
1.2MB
MD5feab5586c38aafc862e895a96c13b553
SHA193107c44402657db6aca341c1c16719cd9504cfc
SHA256532e902eb5f3be3f501c5211d8763ea6502e36ed555ab3376479367bc3e9f356
SHA51248ee1013256945a3c39c77843788d10afe4e43d850335583ea48284febe31c83c95f0029a1bea1bab789e3b1b760180892f94db33cdeca748231846b3297678e
-
Filesize
578KB
MD5f95c72660ec72bc01deffd31950d1e80
SHA18218215d4bd81814370ec3b043964206aec4f8b7
SHA25660ee2ea9f8c69ca8678e646ce9e4757c8671f4c218adcfaa2ea70c224bc7dfc1
SHA512b4d04a767215bcd92b4fa15901807cfcd7190e8df79bf62f5358a80d674f7d2ba6423f18d6ad59adf163fc976165c0f1fa7a7a12d15439ac39b7080a027af9dc
-
Filesize
940KB
MD5f8f7c9b108b8a6d597892f9b94df1520
SHA1a2eb10c5721973d200b6e961740f81d807b60380
SHA25609a1cb738dd564ec355532b728b9c21e25dd6d695ce0cc0a0c0ea9914b548736
SHA51245362e2bb812112deecacbb32e486c67890db9d81677484074ad13b71e241d9fee720f302b141264c2ca4b622894748a71488a4b766e362b545c31d76754b6ec
-
Filesize
671KB
MD5296b5194d8ca233775295b7ead5c105a
SHA122762b0db50fd77b82241dd12d7b41900088f308
SHA256cc0f15966114cb35f0953ce4c3b5d3e011cdd9d259d9f0b45b26069d9794bebc
SHA51239f5d60ffb21eaecc4da9145745be3ab01d031106c162c1bef061739192f3aad5ca0c97b1319377220bf7ccad2822307d66bc7da9d3c07cf64787bbf507ee8bc
-
Filesize
1.4MB
MD55df77150802c3e377660718b74168aaf
SHA122e6685a96c34e028131b78c426e2b525637ff50
SHA256d1285067750a97a790c9a7bd73b1129d3b54761dfb6f13197db6758b50c8497e
SHA5121a76b1867933f432ae42239cf528b8410dada3ff677849db928cefd785420c4ab7d6717563d4cb109e9137a4368561cc9bc5c26dc225bf0b23d479634c3817bc
-
Filesize
1.8MB
MD5047dc551d52b4cb9ae8d825b3193624a
SHA17d3fcad2a35652dcd9579cd6229318f432ba4286
SHA256b67be14915a523573a948756aca04a757e86186077d701d647067649bd20c0ee
SHA512556b2c7385bdf439fe216ec01c353ee98ebf6d65e1f6861b7e539fcd7c8e6e67d0fe691b2fda19286748a3b133c25ee9c871e4113563020f1283d9543352d94e
-
Filesize
1.4MB
MD528045ee217fb0f947b196d705f29af74
SHA154c15991572032110f6435bcbcac12a23cf96597
SHA256fc49a3d250733cd90c26810c82d9c34c4bfa798d4619df85caf87069d391c252
SHA512f5650ceb6cfa60b9b9e595bd88856f628ee9ddc56f0e6349e0da120393eb1b4bb9c8597f083549b454a69978be01d711911a62d98b189d03b0ab0b5d78c07623
-
Filesize
885KB
MD52827b832766c32fd42b6f33dd2398afa
SHA14f6844ea1112c077ee3b0d7c914a81319675ceb7
SHA256489ed94bf30d48ed955f5a412e3ac3ceabba827fa27de81a1acb10324d5e5d3f
SHA5121f3eae3a15a9ecafeecc37f5044fe2173dd57871582d2631f7c3caf3572480c27cf9e5340ee7004029b3c4407e6962d4ffa0636e03febeced70030d0a331349f
-
Filesize
2.0MB
MD53f6dafba6e0b107535c00874d9b9b6a9
SHA1ed37f74378a1cc261a55b241915ef6e965e107d2
SHA256eafd57f653283d9adbefaafc532bfa358354a9ff8ff93d4457309eebb2dd8740
SHA5120c2a70e8b60a40ab6102bd1e4c5fb6258e61c213e9734fdbbeb7f4af3f30a65be84374b85939a0e4c2fabddb9263048faf09c1cb30d6139a9ed9e356149dc5ab
-
Filesize
661KB
MD5e0d97fc7dbae2d49848e874f9776eb57
SHA152225bddd5a318740374420e41150ed85d73b52c
SHA25674be3131eb36be32957a0f474dc07a4db1794fb272c2090f224dfaa1450e1d67
SHA512815f6a7957f23f107587f0227b114bf9b7d06e4ca26a5e13dda190018073eeef0e649b72205023f97b851605c583bb5467df53a236db59cbdaf1529f534f29a3
-
Filesize
712KB
MD50dc72e5608a9651c14cd1d43d66bae8a
SHA111e7f7fa4cbbeab87995978c0c9521dc94faac70
SHA256caff3429ca4f811337f8659a77fbdba179137e73beed8e62bf9878a9fa260d0e
SHA51265b64d836caeda2680c11ebdd3341e98990f0102813e37c6c3ab192bd1affa84e0ca439e1ef8bc374a5e77daa197b073aa66dcd8518e45a10e1d077417570c5f
-
Filesize
584KB
MD519cf427dbec29d7b5881cf71c7fa0a3a
SHA1bb65c4807caf4965d90be56d89554320fceeed0a
SHA2563d412408bf1d9ab9292b8530e461af9625d32986a2a1c508469526e7520afe06
SHA512980cd0102b622b9e8e619c3c4773caae2ec1cf6dc8deb6abe09978d42423f5e87b31ac3d6d976fe1a335606f0cddb5de4cf2c48cee653c08b7e4f392afa977ff
-
Filesize
1.3MB
MD5dd0998e8e4a93cfc1b3fe9cbfc43b64e
SHA13802497398cc6de45bb469d7d8bd8814ddaa3cae
SHA25697f3125e0bcd1f074ed270e2f55dde996a3fdde572508a6bcf3ddd21841d5748
SHA51256da28f2883cd13576835e8e742c96d5c6e3ffa0570451568b0b3d76cbeed54607a572db571f308a224a9d6a149324cf1ea8b047cb873984edcd93b78f00533b
-
Filesize
772KB
MD52f861f57872e9fc3bb919ecbeaf35347
SHA1ea582655f084e1f3320d514d2529287f2203bb36
SHA2569c5c587a32c7464f5ac133114a07fa800f36c6990f07a1d983ee915be4f6ba95
SHA5126d7e23b69a6778b945af1f248047d7684759379b08ae12a6fb08f247e205b953b9fb61e616f7404767c0b3791d0486233b5b6aaa9f598ed8fb3072b20f058acd
-
Filesize
2.1MB
MD58cfa0e778a321ae9ff68dc5c88ac6b79
SHA1b51066b0285d196899625a0556491514480ff0ec
SHA256689ad7cabdae452c3df7f8aa47cea128cbb78b5098c41a658c26a95dfa883a4b
SHA512a1f46059382bd36203e28c1e24d8ffaa5a613e42bb939f1c146161aeae7a2141f0f985d5704e067f5119586ecfbb4c33d30c25cd3d530e079fa79e3b3dbe01e8
-
Filesize
40B
MD5dd7a044bb22136e85285d21163fdef66
SHA11fcea0d904998de1bdea9cfa654a50c20b3dcc5b
SHA256b918a44d48859b4ed705a9a7a23d4a816a368aa2161ad495a7a6d1c6992b61a0
SHA51267afbad0468b8d5b405186c63a0960f5fcda15b2ab73767c292863e221265758001b2e110a3296f5d2ba1463863d556a535850a65a107344ade40a79c33bf358
-
Filesize
1.3MB
MD50bede993aca7383c3a927dd9d7cffc67
SHA15ff2af5911b51c7d35279f185405d94de1618624
SHA25678ed7032779e691769ae323beaa9470a1aea86c3adab47fc3961781b43ab367b
SHA5125b6358a2faa447f46778aaed70d3809bb32e4db95c0f7beef61c01dbb310029ba88dde41630a896159c3539b728bddf7cff093621ee55bdd96896a48bb30eca1
-
Filesize
877KB
MD5c2694a720e33abf0d6205daa0ce9023f
SHA1ace6143076f9235e4f2ca2fbc6dc03eba2eb1ef6
SHA256a19e4b9b21c85de3fae28a491e8ca55519fc75dfc5936842e95f86d240dfa29c
SHA512dcb31ab9a2f74b70ef94bc6e5f7b971afd39799e31cdb123926655cb10a59655fbc5927293bbb6542a6a6dc34e99cf41f3020c6f90f34217f280fb951cd7ab83
-
Filesize
635KB
MD51cbf3ec939033b64581d44dbbdc54e67
SHA1141d8f7276a291f76c3b550373ebd317138ea4d5
SHA2568d7f71c625b3634deb82e53bf9995a11b620d0976e9cf59709c1bd61b2480ce8
SHA512186143e7023532faa801133428895e240e62cbec1dc108ab199fcf04ad8421b59fd51161af78d198a8f027535458fb07a83331477a47a14143e3e3d2648f5f67
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e