Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 06:51
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe
Resource
win7-20240508-en
General
-
Target
2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe
-
Size
5.5MB
-
MD5
779a806e04aa81c1e6c9bbf738e7168a
-
SHA1
e08c85714808c49862ebccb345580860a88d9051
-
SHA256
1bc879c9975bc6cccb55150e682c84ca724811dd22332b6b8d2258b6239c0df4
-
SHA512
180300a4d86a534534f2ff56d0f0b5b09665fe74983e1c47753635205c0c9f1d2382172b330ad4d7cb5f1d4091a5c00c17c42d777b4f19d2cc11566a7507fb62
-
SSDEEP
49152:9EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf5:BAI5pAdVJn9tbnR1VgBVmCWAV7v
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exepid Process 1356 alg.exe 404 DiagnosticsHub.StandardCollector.Service.exe 2804 fxssvc.exe 4116 elevation_service.exe 2116 elevation_service.exe 3976 maintenanceservice.exe 3532 msdtc.exe 2368 OSE.EXE 3692 PerceptionSimulationService.exe 208 perfhost.exe 5080 locator.exe 536 SensorDataService.exe 2184 snmptrap.exe 4392 spectrum.exe 1496 ssh-agent.exe 2816 TieringEngineService.exe 1064 AgentService.exe 3244 vds.exe 5004 vssvc.exe 2492 wbengine.exe 3852 WmiApSrv.exe 1100 SearchIndexer.exe 5872 chrmstp.exe 5944 chrmstp.exe 4108 chrmstp.exe 5216 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
Processes:
2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exedescription ioc Process File opened for modification C:\Windows\system32\msiexec.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\f1b9cb04e703f493.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exedescription ioc Process File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\java.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaw.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe -
Drops file in Windows directory 2 IoCs
Processes:
2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exeSearchProtocolHost.exechrome.exefxssvc.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec15782ff0b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6610d29f0b3da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa733f29f0b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e574d72ff0b3da01 SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133616982967475934" chrome.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000931f6430f0b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000931f6430f0b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe -
Modifies registry class 1 IoCs
Processes:
chrmstp.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
chrome.exechrome.exepid Process 3052 chrome.exe 3052 chrome.exe 1656 chrome.exe 1656 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 656 656 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid Process 3052 chrome.exe 3052 chrome.exe 3052 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exedescription pid Process Token: SeTakeOwnershipPrivilege 1684 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe Token: SeTakeOwnershipPrivilege 1224 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe Token: SeAuditPrivilege 2804 fxssvc.exe Token: SeRestorePrivilege 2816 TieringEngineService.exe Token: SeManageVolumePrivilege 2816 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1064 AgentService.exe Token: SeBackupPrivilege 5004 vssvc.exe Token: SeRestorePrivilege 5004 vssvc.exe Token: SeAuditPrivilege 5004 vssvc.exe Token: SeBackupPrivilege 2492 wbengine.exe Token: SeRestorePrivilege 2492 wbengine.exe Token: SeSecurityPrivilege 2492 wbengine.exe Token: 33 1100 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1100 SearchIndexer.exe Token: SeShutdownPrivilege 3052 chrome.exe Token: SeCreatePagefilePrivilege 3052 chrome.exe Token: SeShutdownPrivilege 3052 chrome.exe Token: SeCreatePagefilePrivilege 3052 chrome.exe Token: SeShutdownPrivilege 3052 chrome.exe Token: SeCreatePagefilePrivilege 3052 chrome.exe Token: SeShutdownPrivilege 3052 chrome.exe Token: SeCreatePagefilePrivilege 3052 chrome.exe Token: SeShutdownPrivilege 3052 chrome.exe Token: SeCreatePagefilePrivilege 3052 chrome.exe Token: SeShutdownPrivilege 3052 chrome.exe Token: SeCreatePagefilePrivilege 3052 chrome.exe Token: SeShutdownPrivilege 3052 chrome.exe Token: SeCreatePagefilePrivilege 3052 chrome.exe Token: SeShutdownPrivilege 3052 chrome.exe Token: SeCreatePagefilePrivilege 3052 chrome.exe Token: SeShutdownPrivilege 3052 chrome.exe Token: SeCreatePagefilePrivilege 3052 chrome.exe Token: SeShutdownPrivilege 3052 chrome.exe Token: SeCreatePagefilePrivilege 3052 chrome.exe Token: SeShutdownPrivilege 3052 chrome.exe Token: SeCreatePagefilePrivilege 3052 chrome.exe Token: SeShutdownPrivilege 3052 chrome.exe Token: SeCreatePagefilePrivilege 3052 chrome.exe Token: SeShutdownPrivilege 3052 chrome.exe Token: SeCreatePagefilePrivilege 3052 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
chrome.exechrmstp.exepid Process 3052 chrome.exe 3052 chrome.exe 3052 chrome.exe 4108 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exechrome.exedescription pid Process procid_target PID 1684 wrote to memory of 1224 1684 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe 81 PID 1684 wrote to memory of 1224 1684 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe 81 PID 1684 wrote to memory of 3052 1684 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe 83 PID 1684 wrote to memory of 3052 1684 2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe 83 PID 3052 wrote to memory of 3620 3052 chrome.exe 84 PID 3052 wrote to memory of 3620 3052 chrome.exe 84 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 3612 3052 chrome.exe 111 PID 3052 wrote to memory of 2872 3052 chrome.exe 112 PID 3052 wrote to memory of 2872 3052 chrome.exe 112 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 PID 3052 wrote to memory of 828 3052 chrome.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_779a806e04aa81c1e6c9bbf738e7168a_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2ac,0x2d4,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6f4cab58,0x7ffd6f4cab68,0x7ffd6f4cab783⤵PID:3620
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1920,i,18217448109913988332,2504552526191930536,131072 /prefetch:23⤵PID:3612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1920,i,18217448109913988332,2504552526191930536,131072 /prefetch:83⤵PID:2872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2168 --field-trial-handle=1920,i,18217448109913988332,2504552526191930536,131072 /prefetch:83⤵PID:828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1920,i,18217448109913988332,2504552526191930536,131072 /prefetch:13⤵PID:2528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1920,i,18217448109913988332,2504552526191930536,131072 /prefetch:13⤵PID:1644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4316 --field-trial-handle=1920,i,18217448109913988332,2504552526191930536,131072 /prefetch:13⤵PID:5108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=1920,i,18217448109913988332,2504552526191930536,131072 /prefetch:83⤵PID:5168
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1920,i,18217448109913988332,2504552526191930536,131072 /prefetch:83⤵PID:5212
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=1920,i,18217448109913988332,2504552526191930536,131072 /prefetch:83⤵PID:5700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1920,i,18217448109913988332,2504552526191930536,131072 /prefetch:83⤵PID:5760
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5872 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x26c,0x298,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5944
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4108 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5216
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1920,i,18217448109913988332,2504552526191930536,131072 /prefetch:83⤵PID:6124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2412 --field-trial-handle=1920,i,18217448109913988332,2504552526191930536,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1656
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:1356
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:404
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3452
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4116
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2116
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3976
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3532
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2368
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3692
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:208
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:5080
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:536
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2184
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4392
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2228
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3244
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3852
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1100 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4564
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:1664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5366fed501fc265272096511c96bc45c0
SHA17d8105f79657d731de438488defc14adb77cf9ee
SHA256eb46455fb3e2bf6deab84a91820242afd47ad4f6068794d88e44bc043e958be3
SHA512cb2a607b87ef99da9345902dc228404df93c03e755db680ac46db59d3e805265d6e9c3ee6dd2345cfc26ffca53e0143c91286042307f2976c0e4785c78f71788
-
Filesize
797KB
MD55919bbaddb2a1a5c534bfdf92516dc9a
SHA1ba1bd54c7acf04f43df3dceaba27cfe4d0c0713a
SHA256c77a41531d5eac8a55e6746081cb45665437c2f93bb3e70d76085e17907faddf
SHA51209ba3302ed6de059ee91ddba8cf6f3c62b2e8c32d8db4869d7c395d23443e01a4411d958686416fbdc32b7a6794a670b6aeece85ec42670239ace78be49a61f4
-
Filesize
805KB
MD52eca4413809e47f9c29ec7fad68d282e
SHA1b4852ef907f8fdf00a5de6cdb96fbbfad1fddbdf
SHA2562483e3acb18d3c0198409caf8a5281531ada2dcb7f4bd6b57d639fd33de11577
SHA512080c806c1e86a807eb91dd319b06ec1a097ba4c6f7db544b222ab7ee837413cc8c2e9266ad801fd2180c92d6bd79a52cc14dbb4c788314239312ae24d8dddc14
-
Filesize
5.4MB
MD5cb024d28b26b6e1c75b89710173600a6
SHA100a885d05df147dade66348581915d6d9db327c8
SHA256e5f9a3818ac0f075642048d46d98b6caa6a2892d0aadaff5e094d227bbdf3054
SHA51285dd52d7659ccaa56ca48a1f9e8e0a389381e13c8b91ca10b4150aee0f4edb6600fd6f090a97bb41956906424e41743323e03acaf45ccc2e8f1ef21d825b3f60
-
Filesize
2.2MB
MD50c5013a5af3a8784d05594fc6acef872
SHA16d255289bf6a26887cf2cdbec88191f299c78c35
SHA2566a8b4d1fdb84d0091ff1681155a256e279b792f1456b4ef4c68ef1608d4e3503
SHA5125546041c74a4fe28ca4f08e0dca9bfdebc682b64d644d907dda41d4cab1cda4e8f6db5e2ae7894d892d35efe273608f0d74d299af0882cf91575c899e3fe27b9
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
40B
MD5d0df793c4e281659228b2837846ace2d
SHA1ece0a5b1581f86b175ccbc7822483448ec728077
SHA2564e5ceefae11a45c397cde5c6b725c18d8c63d80d2ce851fa94df1644169eafc9
SHA512400a81d676e5c1e8e64655536b23dbae0a0dd47dc1e87e202e065903396e6a106770cec238093d748b9c71b5859edf097ffff2e088b5b79d6a449754140a52ad
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD598afa17c092dae13a5a532b471609750
SHA1fc8544118f9833e6cb5cb62278d0405feb5d3b4a
SHA2568d68f08e1ebea046a3be32ca4618ac951aaa544aa44a4640d52536a87dc0c869
SHA512109a99183a671e611559a3c67a8c9094ecbe04411630bca4f38ac34f2e4c7716647e49b7c8a0b9d97274b7e088c0802af78c4701798cc3db3210589c02f56f41
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD50f5183c7ade31ada1f53fc221c5ed4f0
SHA151005d222e8eceedbe1038db408ed5047f7834bf
SHA25685523eedbf28736d74807a9f843dd0a63af71fd154741916ae4aad930d777199
SHA512f80a4bea98130dc8b9cb1c829e1f45c2490fd0dc839c216470072259ee896916e5290faa44358f217ad9c09bc539f422765a316f96dd1be2450a2742438051ee
-
Filesize
5KB
MD53e9135a222496566e7f3bd95f82611e7
SHA18baee4ac2fd5b89d04969d004057f7563d6094dc
SHA25657d2012b06a51643b7e917f10a9b291de7056a03ee03b01a093eb2d11edea321
SHA512ac77bdcb7f8ffc34dd6596bf6c4e6e7601ab896eeabfbe7c511c91b797df1a554ec76eeb9b84ca69804e095c2609724979e783932bfad087fa7774b63ad649bb
-
Filesize
2KB
MD51d0245a0816fd932b1963600bab98460
SHA182d188a3a5fd107ed83000e16e41e0d67eed941b
SHA256b9d8f68c1f5aeadb1748f8efa21c33a4235cca822bfdf19951d296b2f29944f6
SHA512febc999100ab08b73d52fa2a08f7c09cf2281c420762d121150da6cecc922372a9591619163881a5d2956cc20a7bd6d1b5017b6f0575b55ca6baeeaa604632f6
-
Filesize
16KB
MD5a62e2e7f87fcda56f4476e54ee297984
SHA1b165c55335be41c5850afc074ef82d29217e7ad7
SHA256cf0f4eb611c1977a12589be1ae01775efd8cd8af91285d588bf55e26f90b8e41
SHA51214e11338fb45c10b06cd7e830e094c6974c5a04fb511f66171af30bd4b3fa43b225def0106f9c514eb9cc54a917a5dcf6d2284ab9ce69f85afdb580af08a81fb
-
Filesize
261KB
MD552296a42e1f8f9cdc5534342ea5b1118
SHA158f5535bd65c0da408e0b8e884f733084698e2c1
SHA2569cfbc05570c2fb8a7fafde754fe2f66ccc32a99367658f3c2a03a1944c60a656
SHA51290739a170f1797e3274e0c02b816558dd47273eee545aa651a7c1aa20ee52b3387fa28645193da567cae04c7fe89fdfd79d4b51e69348d9787f91af5d9057620
-
Filesize
7KB
MD5a938d514c295f842885050b981be7492
SHA1c5f5404d2441a657d87d3886809cb3062ab6cf0a
SHA256328ea88e39f148c3a8c8ee1b1409747ee769054b27fe824deca675d13d1dd4e6
SHA5124d99b7442dedf50a23955109c2d9c12b20525cd0389e04affa4b8af6f19d6e23ab471cf7f572257fb1a10de46b8964ef429f046851d6b8894fb8ae5a241ba527
-
Filesize
8KB
MD535b4831c6fc5396a5196b8485cb59254
SHA1e32884f4203e7da04abd76ed848a0875199cb59b
SHA25687c81abc84c58b87ad84606c726f7010f3537139fa8a37e5f8f330eba0e86917
SHA512b857fee216532dae8af1a9ebe217771bb12df173a45e16f7eb53beec0e48dd319d8b6c9bb77823a028cd981fa12c4d9ee69742c9546fa43ecbbf505810875e03
-
Filesize
12KB
MD5fe460da249870bf1e21a94ee19b9229a
SHA12215dfb5f849e503eda56219b2981ab0cde0fbd7
SHA2563b0811d12366090231e9d628741d945099ea8e323431cb919800f4716ca1b59b
SHA5123df27390cf3b71d315bb57cdec0b7813648ed12e32b52f3a9d7c5ad2212f8c27a97bda41c326664a2cc2b2fcb4d1da939c323c1076d3b4dcf71a8315b4ede8e5
-
Filesize
588KB
MD5b271cdac4a667534cebf9ce21daff1ff
SHA196d9b01592f5fa31d18548ea0e5ede6922bee26c
SHA256c01a87a8d0b4540d72539430be4f31291f770c37c9866b45e173d183c30d7359
SHA512c7618783dd0706e41c3d6f30655ac89c33d2dcd99b4e049d047ba389ce3e3525fc82fcda94bf2ead5bece5b3b01aa5b1b3a063339c1f0e870f795fcb9c58ffbb
-
Filesize
1.7MB
MD5588f19f46ea5a865ad15286d72689be4
SHA1057bc61124f99d52a3acc4c690e28c7464e91fee
SHA2565c63db4752670e3bdbd4ef02f94769b8577c606a16e129d7219081fd120adb41
SHA512ee26667eff4a271fa37aa8be6624cf1f60963beef75590cf0457e24a78d1050a060d1f7e5b41f20aeb77089eb22d00b67c232256c66ead1eb633524f692e8b01
-
Filesize
659KB
MD5296747dc7e49b6a786a6e2461303e164
SHA1fff6242a11390ead34e2604dd5e28b9872508628
SHA2566b90643e2f89754fb1e2ea462869db96afe6eb106e3f19cdbac1a2496bf904b6
SHA512c4b418c01888fea1a530516fdf4d2f52dd1450cf2f0efe7941ed2244ae5e61573c5acb07940e3973b0493e3f4e0583191e672430c892fe3abfe17ab20106c7ce
-
Filesize
1.2MB
MD5fbba8ee7ef1e2e22cdbc83653ffbdf47
SHA14299b2108e483e7756bf63f39b26bdd73b13fb19
SHA256f03af112afa1204c74445f2a5189d7ef7d6beeb674a4b8352445300d4bcfba32
SHA51295d6ff68443a90936c9e6c17b5f3fde963c6e2279b1938a9359ef2dddee1db4d9697d454514f03c2bd285263bc3d83787585f262670cca0a0b24e0321c62e2ad
-
Filesize
578KB
MD54c34c77fea862b78553afca3f1bab6c3
SHA18fe5beb89cb8efbb9c98c12ac3f8d207b0518aa8
SHA256f43b300287876a4a64e62180e4889da23ba1bab53e277c5c46f8010920ee0934
SHA512040d57731718140fd80c2ca39c657ccd91a9cf7798a4a7143b9cb4bf652ee8555c6f6d1b09f767a0d87315cfe624fd73805fd4002f28709190751b9a130e0b2b
-
Filesize
940KB
MD560302d0260150642d4f73d9c36da6e05
SHA19f8fd4ea87a1865ae46b7f1e48264c43d9f4abb3
SHA256440dc41f602982c69353bb23abe8458b17205fa268552b9f1764d468432c0db2
SHA512653170ea617d3cfc581d4bcaed0d5bfc7afebdf6a502da616d2587b34a17e5544b56cebc74203058b1f20d6488220c97554fd88e05d269d3b332cf9855bcc037
-
Filesize
671KB
MD58a3e398f37ab8203849bc62a66123503
SHA1b2e3ea01337812a39f8b713483134a94f9bddfa1
SHA25625b98c25bbec1b0c7137377ec192c1a3989095968eef5e66b18d84ed69277498
SHA512113dca608b7426025ca127ba061bc68f3caa14edd73c4ace0a9831ea28999688e08ff07242ac7a5cb75949db3ae3e28c07ecd13ff06bdc27d664580fd13d7994
-
Filesize
1.4MB
MD57e2e1d5dafd6223dd8b98de580d3aa4e
SHA148d26b7dde35e8563072e42a759970251407c586
SHA256250ff705aa9c898d8a80689bea5667a9fca536736fc17cfe2fa8faea2dfba881
SHA512ddd85e8606b445b23aa7aabb2b818dee72ec82e006acf2e557db861d7095e3df5b2dbb3f9cf682b26781fa60be045eeee84cb5d4ee9acefb25b987b3f66a467b
-
Filesize
1.8MB
MD541c8d4f3de5f10fc8bed1affff5dcef6
SHA17e95ff37bf40813eafb9b83f9f6d817fc6016867
SHA256f306e86e247814e8ada7386f3badc1bcbd89a6a3916564a60b88c1a18df5c1ad
SHA51272367df897c00f2b0d8470f72bc77080ae6444fbea0ff8b536974192617d90f2d658bab1cddec0a362b22d195c3761eca989ee2801db77b1437ec9b1b6f2a578
-
Filesize
1.4MB
MD5a62ba4f7f0e153eceb73988deac415f0
SHA12e5753a31d47240017d14e22a85c614bc2f8543f
SHA2563e475a46ccaf08d7821c60047ea4e529c4f03754ae4d23001b5d5940a46e4d83
SHA5120946de876c602b13a65c3ae0fee9ecd0ba585d534bc1b1340ec9bddb1d95d7a5d79162fa7828837341a859bcf28da26e97ce9f16318c4da8b5bbd93239e81b40
-
Filesize
885KB
MD5a4a25559841633c3a2d01ade083c2eb9
SHA1fa5d6530e349ea195846797f0a83c67363287e44
SHA2566915d46feabe93a3c961d23bd1a0eaff8d4a3db70328061bb4bd6ce0dd036201
SHA5128e63b9c828703492625b82c831dfed49dee87265ad52ef1cbcc2ad49ee92407e1e1e867d7a278258167b9350ee8a978888ec1534db879726d37bdd262022ff9d
-
Filesize
2.0MB
MD5d36129e2fd34e11df46ff6140dcf00b7
SHA1fc47c3c3561ecefd8f12d9464698aa111ada1b4a
SHA256e9ca47c37852d33d8582f2baf8ee80e3c8f40a1d08cc1c84a8b196f5aa3a346f
SHA512df9c518cec97c54263f56ad69602bad7a111307d5f5d8ee4db27b6190aeddaf31db1f0e89deb0854e02a15ed058bf7485c70bacd1f3f9d7da27c7214c5000d06
-
Filesize
661KB
MD554408885ba3e3e69912028d58c5fa442
SHA1664d55a1633e48ce6d3d285cd72e1693a2217372
SHA256139455b0ef077aa739450dff657a1eee83643482ea8183fd4e62e15d4d0cff98
SHA51235fac82adffdc3210b20d5272a5e232e63dc8b2da1aee5ffa1cbd739be4f9a417038664da1d85bd3617ddb6cda3e5cf4ae4c4c65181fc21657a0f09311751e71
-
Filesize
712KB
MD5ea9bba895e6034cb5a0d497069cd3c26
SHA13cb470c9c52160e5407146d43ad8730a760d061c
SHA256334570977fc26f798d20de3ee9ef36d5e574bb2bc305be1f7098b16c8c385ad4
SHA512c64fc803a412e7bcc7be1dbcbae02c88972c3e270f477b58281723ae0dd6b62508ab7599104b3cbb0ac061d251e724c8139ff5c92bbd79fa0a651f5a982aded4
-
Filesize
584KB
MD51eef25df0dcb8e1d58f58fe770172ce4
SHA1c3f113255ec638c859fafcd9eb00a320c94e3cfc
SHA2566cf41ec9b1ac18948a29d3497496ca937c3ae08e47149169003d79584d3c7caf
SHA512941a5ba08868f651d97e184605156daedaef2858306b2ce506bcb645bab5d71355e40f8560395556789c979dfaaf49f28032abbe2b637fe08a82ca5fd81f1835
-
Filesize
1.3MB
MD5f05c288b03a6fba92a52c4ddc2a40825
SHA12553e312dd881357f02d273db73b75fa1c05e0bf
SHA25664ac9aae02136f0eca1fca67ef7d5111a9597e7cc18e12c0a97e6970a38fc754
SHA512c2ff77ea1ac0d89364a76e429d76a336be30ed2414b5e66dc354ceef693048aab08981923a3c9a44db92a3a0740a9641e8a7b7ebf327963d5236e92c26ef291f
-
Filesize
772KB
MD58e17f7220be05022a10691ade344eb74
SHA12324c028d6196885b91dfba2ce82451e12e84f5e
SHA256bbb819a694f70dda6fa12cd0cbdb8adbb27f3d1db7541b2d81ce2b9d18f34252
SHA5121d69a612d543edd60405da16fb18ec49c0ef340be858eff860f79843513873a23ac9674d8e03c8ee53639d42656da1943287e9ab58be2134853c2007f2b3481e
-
Filesize
2.1MB
MD554a4951de5496bb086ffb3d9fbe59a17
SHA1001e5da726df2b0915cd81ed0fa3b18dfb082685
SHA25638f1fcfef12b3eed42a6611b9db02751faeda15adda8da5ab71be9f600383fa4
SHA51245bedbd62fc7c477bb73f17bb4898453c081ee41dd415c4f77fa964758cc852cdf77973459c621ea03524f163726519740b241974b216e6ffa255a5ad9b09883
-
Filesize
40B
MD5dd7a044bb22136e85285d21163fdef66
SHA11fcea0d904998de1bdea9cfa654a50c20b3dcc5b
SHA256b918a44d48859b4ed705a9a7a23d4a816a368aa2161ad495a7a6d1c6992b61a0
SHA51267afbad0468b8d5b405186c63a0960f5fcda15b2ab73767c292863e221265758001b2e110a3296f5d2ba1463863d556a535850a65a107344ade40a79c33bf358
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e