Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 07:41
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe
-
Size
5.5MB
-
MD5
9186fe483f543f0674621a1f9d7857c7
-
SHA1
93d070e381d9966ac1242b1fb00c030b4a476081
-
SHA256
740316d7a5a89a033a9173f4725f43c8deca8d03ab96d185dd4fb5ee15e8573f
-
SHA512
c038b2f5af49771acd40fd01774b2021ef7edd3f0cceeed7a0a1c855c76c8eb4fcd17bab38b04dbe6fca80251948240d7c6d47793d3c30c3679b4d6bd3cc6f92
-
SSDEEP
49152:rEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfH:3AI5pAdVJn9tbnR1VgBVma+pFtFR
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exepid Process 1680 alg.exe 4664 DiagnosticsHub.StandardCollector.Service.exe 2264 fxssvc.exe 2284 elevation_service.exe 4820 elevation_service.exe 4948 maintenanceservice.exe 4252 msdtc.exe 384 OSE.EXE 332 PerceptionSimulationService.exe 3936 perfhost.exe 3252 locator.exe 3088 SensorDataService.exe 5032 snmptrap.exe 4616 spectrum.exe 8 ssh-agent.exe 2436 TieringEngineService.exe 1956 AgentService.exe 2036 vds.exe 1636 vssvc.exe 2240 wbengine.exe 1532 WmiApSrv.exe 1556 SearchIndexer.exe 5728 chrmstp.exe 5812 chrmstp.exe 6040 chrmstp.exe 5576 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exealg.exemsdtc.exe2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exedescription ioc Process File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\91414284c3136770.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exealg.exemaintenanceservice.exedescription ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe -
Drops file in Windows directory 3 IoCs
Processes:
alg.exe2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exechrome.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3f53b30f7b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005206e72ef7b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a00632ff7b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004cf5952ef7b3da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d17e9f2ef7b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e915382ff7b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133617013131411542" chrome.exe -
Modifies registry class 1 IoCs
Processes:
chrmstp.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes:
chrome.exe2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exechrome.exepid Process 3748 chrome.exe 3748 chrome.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 3748 chrome.exe 3748 chrome.exe 7084 chrome.exe 7084 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 656 656 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid Process 3748 chrome.exe 3748 chrome.exe 3748 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exedescription pid Process Token: SeTakeOwnershipPrivilege 1256 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe Token: SeTakeOwnershipPrivilege 4776 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe Token: SeAuditPrivilege 2264 fxssvc.exe Token: SeRestorePrivilege 2436 TieringEngineService.exe Token: SeManageVolumePrivilege 2436 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1956 AgentService.exe Token: SeBackupPrivilege 1636 vssvc.exe Token: SeRestorePrivilege 1636 vssvc.exe Token: SeAuditPrivilege 1636 vssvc.exe Token: SeBackupPrivilege 2240 wbengine.exe Token: SeRestorePrivilege 2240 wbengine.exe Token: SeSecurityPrivilege 2240 wbengine.exe Token: 33 1556 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1556 SearchIndexer.exe Token: SeShutdownPrivilege 3748 chrome.exe Token: SeCreatePagefilePrivilege 3748 chrome.exe Token: SeShutdownPrivilege 3748 chrome.exe Token: SeCreatePagefilePrivilege 3748 chrome.exe Token: SeShutdownPrivilege 3748 chrome.exe Token: SeCreatePagefilePrivilege 3748 chrome.exe Token: SeShutdownPrivilege 3748 chrome.exe Token: SeCreatePagefilePrivilege 3748 chrome.exe Token: SeShutdownPrivilege 3748 chrome.exe Token: SeCreatePagefilePrivilege 3748 chrome.exe Token: SeShutdownPrivilege 3748 chrome.exe Token: SeCreatePagefilePrivilege 3748 chrome.exe Token: SeShutdownPrivilege 3748 chrome.exe Token: SeCreatePagefilePrivilege 3748 chrome.exe Token: SeShutdownPrivilege 3748 chrome.exe Token: SeCreatePagefilePrivilege 3748 chrome.exe Token: SeShutdownPrivilege 3748 chrome.exe Token: SeCreatePagefilePrivilege 3748 chrome.exe Token: SeShutdownPrivilege 3748 chrome.exe Token: SeCreatePagefilePrivilege 3748 chrome.exe Token: SeShutdownPrivilege 3748 chrome.exe Token: SeCreatePagefilePrivilege 3748 chrome.exe Token: SeShutdownPrivilege 3748 chrome.exe Token: SeCreatePagefilePrivilege 3748 chrome.exe Token: SeShutdownPrivilege 3748 chrome.exe Token: SeCreatePagefilePrivilege 3748 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
chrome.exechrmstp.exepid Process 3748 chrome.exe 3748 chrome.exe 3748 chrome.exe 6040 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exechrome.exedescription pid Process procid_target PID 1256 wrote to memory of 4776 1256 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 82 PID 1256 wrote to memory of 4776 1256 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 82 PID 1256 wrote to memory of 3748 1256 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 83 PID 1256 wrote to memory of 3748 1256 2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe 83 PID 3748 wrote to memory of 1848 3748 chrome.exe 84 PID 3748 wrote to memory of 1848 3748 chrome.exe 84 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 5004 3748 chrome.exe 111 PID 3748 wrote to memory of 708 3748 chrome.exe 112 PID 3748 wrote to memory of 708 3748 chrome.exe 112 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 PID 3748 wrote to memory of 4904 3748 chrome.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_9186fe483f543f0674621a1f9d7857c7_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2a0,0x2d8,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcaaf0ab58,0x7ffcaaf0ab68,0x7ffcaaf0ab783⤵PID:1848
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1932,i,4385963193460118396,9796878680723212127,131072 /prefetch:23⤵PID:5004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1932,i,4385963193460118396,9796878680723212127,131072 /prefetch:83⤵PID:708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1932,i,4385963193460118396,9796878680723212127,131072 /prefetch:83⤵PID:4904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1932,i,4385963193460118396,9796878680723212127,131072 /prefetch:13⤵PID:1528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1932,i,4385963193460118396,9796878680723212127,131072 /prefetch:13⤵PID:5060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4312 --field-trial-handle=1932,i,4385963193460118396,9796878680723212127,131072 /prefetch:13⤵PID:5344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4472 --field-trial-handle=1932,i,4385963193460118396,9796878680723212127,131072 /prefetch:83⤵PID:5460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1932,i,4385963193460118396,9796878680723212127,131072 /prefetch:83⤵PID:5468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4756 --field-trial-handle=1932,i,4385963193460118396,9796878680723212127,131072 /prefetch:83⤵PID:5484
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4908 --field-trial-handle=1932,i,4385963193460118396,9796878680723212127,131072 /prefetch:83⤵PID:5632
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4912 --field-trial-handle=1932,i,4385963193460118396,9796878680723212127,131072 /prefetch:83⤵PID:5336
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1932,i,4385963193460118396,9796878680723212127,131072 /prefetch:83⤵PID:5636
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5728 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5812
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6040 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5576
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1932,i,4385963193460118396,9796878680723212127,131072 /prefetch:83⤵PID:5888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=1932,i,4385963193460118396,9796878680723212127,131072 /prefetch:83⤵PID:6596
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1932,i,4385963193460118396,9796878680723212127,131072 /prefetch:83⤵PID:6604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1932,i,4385963193460118396,9796878680723212127,131072 /prefetch:83⤵PID:6696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4864 --field-trial-handle=1932,i,4385963193460118396,9796878680723212127,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:7084
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1680
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4664
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1676
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2284
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4820
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4948
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4252
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:384
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:332
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3936
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3252
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3088
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5032
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4616
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:8
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4052
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2036
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1532
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3180
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:6020
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5dbfa324b3435e3324ac1b4df0a1f337f
SHA1e35f68710d670ca93190933abb52601c0e4e33c1
SHA2564e9475dd3cd820756320345c213f85be4c4925190ab3e18a6914b00a73099330
SHA5127a09b584434c9321341c5be5d058a09168494e2986f35505edfe85ca32d9b9889da8f0cfad36bb097541c36186f70ed81912a87f18ef4d0bd450102555406744
-
Filesize
1.4MB
MD50e38b93cf04f8155c0bb337683ec16ed
SHA1d40e19a74208ed05ddf93f2c003b29ff373ebec9
SHA2563ae4433a4013a3a783d6c1c7931c0bfbf96aad8f5e94d89011b58a6530a9fa6f
SHA512624170a71ac425a2a0e426a73a2ff07d53bd30a5391e4e3c811fd8544dec87606811677cbc32f3a9a7c668d13e09eb0878f18b4087f49e3ce88c26363d150376
-
Filesize
1.7MB
MD5356c65fd58faac5e951b1a85931d335b
SHA1a1f6fc7d09cfba4f8177c2c6bea2b4935f166bae
SHA2565d4595cdc9ad572520a6a355c3fcb7f19648f15240995466ad3d821be255fdc3
SHA5129d54c25441e46e8afbded41081df166d22b90174fdcd0261ab1c1d58941e6fadd389d59179c54e6733fdc3f3881b33c143a8e1f901931544b901436079798953
-
Filesize
1.5MB
MD57b99eeb7e1b5d1e95279bea4de5e2231
SHA1dbee1049576be40eb7b056a6176cded48a230e37
SHA25679822678ce1282005f469dd4f4d9e4a911bd775ec205ffca3ce283993ff6316b
SHA512a9b3603fa6e6ea3e7f3aa7e1262c6c01c8884dbcaee5e5228a9b33a9bbbb6d6f292dce107b607477c073edabdb27cb06afeb42c44267b20dfe8ed500b511717d
-
Filesize
1.2MB
MD5a4ee0033b500fb48ddce0c5caff6facc
SHA1bc5d6e497978b9ba281a88d1c30e26d7ae7bdb4c
SHA256bca524045c5ac679af97bce8a7338923c76a8670baa01cf008e6ad886923909e
SHA512d96c7073b92c53397db18a826d17c2b275391475a4f5b1bdbf0928fa026695c898a5ed3e2d41bb9dc45bc9a3c5810a13c852907ccf05dae06fa50c050256b565
-
Filesize
1.2MB
MD50b82bccced91fac94e7d0054c3baf858
SHA164508ae6b55ee075b5e0a2708d26df2a2b389615
SHA256f08925d59a9a28c5dc05f7f8b83321b9f3dea78369fcfe7c5407433a74d7d1c1
SHA512830b2a7096bcf510183dd42cab66eaf1724717f51a0ddd61f7a722a0745dcf46b854a8f27ca54710e66dba4a3b1f56fbc46c8e160b799681ee02c760f15c9901
-
Filesize
1.4MB
MD5aca5803ba85ced62173aa24d38ac7fc9
SHA1ea55ad96dc25dc1b41c476f7f06262f7c40cbbae
SHA2563d093a6a94a464110677c289135adc59dbc93c457c880706d8e8a68d7b4fcc7c
SHA51224074cb2e684d01f4f61f1d9c8945348f683aed32633495d32cdc89dd938fe322b2b036ccbfda8e9b079a93d9d10ddebad61c2b51aae425b8b97b669cbb252f3
-
Filesize
2.7MB
MD5ba00904a412d17781333e74def567bd2
SHA19be8389ccb3a45cf0906a1fe3e3f7a0818a820eb
SHA256d7ffe5095eac453450fed5a2bd453a4495f354e468e0f5eb37165aac92a0c0b5
SHA512552c3488a0265ccf30086c4acc42ddd692c5f2ac67bd57c3b52fe7743581d5b614e7560c03df2096e0699991a6bf5dad92e3d8e2de3106f5e4be73d60b273021
-
Filesize
1.4MB
MD50d593b6939d4ddbd4a55fa61b36ef685
SHA1e055d4006ce82923bd6af3d6f5613607e97481ef
SHA2569dc6716ca339451f378df94051c1bc8512c6a25dfad80ba942c170b421fa9715
SHA5124fc50ab3252f596c7fe035c8b7a4db9353fed3f85f6d22a3ea2dd4859e886f256d5222b545f3f251d951f8fb213b15ac827d30a10b61ac3fbfdc00b6eb115f64
-
Filesize
5.4MB
MD59805637063a150e3fadd4e1b43eea0da
SHA1e456350905e65b076251272ca2731295f3d9db06
SHA256aeb3e0d78e152c1f931fd712324665104b4abc612d67bed1b1c1a58b459f4aba
SHA5127357632ac5051ac8355a6dd286eac38869481ded161d3b6f82cb7f5d6b1b3703c33a7a04b44d24a9b0f48a3c7093d300a29c869d06284e2127f466a1dd99ad58
-
Filesize
2.2MB
MD53a93cf831af61b7b8ed1d7130533ed83
SHA167eb3c0183e48177622b97bb6c8a2e199b99f498
SHA25671184d3e60fce23a3cac7f197b33e8593cd95e443af5fbe02e073b31ff76694b
SHA5125f5374c4950f0ed2f4bc55b73f09b91e6536b37497510a2423cc32f5cfe665d93244dc9e3e99311a170a6f32d4ae241cd86e1165b4a84ea749dcc0812b15599b
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD5800ec68ddfcd8c2a8722aeb57013818d
SHA19bb4f1a6003160e3d6c3d45bceab698d1e44bf55
SHA256f74851f5cb88f3fb8ae38a310ca8548f493bbc36b4824562b47fb76515701d2d
SHA51286e9a9fc32096327ff90e9b9994af39c1a52a841a52e7a9ca84f913cbae2b09ecf635e9bd61853044b0928d924332af801cc7ba3f9cbf6d76e33a437b8aac9c6
-
Filesize
40B
MD5757f9692a70d6d6f226ba652bbcffe53
SHA1771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b
SHA256d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad
SHA51279580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD5a15844829f90a84bd8505ed5e04726d9
SHA1fa28dd28627c7015682b7be0079257cc7ee1fd95
SHA2564ef222ca44d21eedfe0bc4af72566d2fa3f16823a5c2d0a3490f744358180220
SHA5124de86d7c1e2302b83a00922759c5931b41fa3215e216f5f4e615abe1cf7ed05a8d63a808f50ca4dee75a50eea7de6814d5b86865b5807a0c6c7819d4a669a888
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD57318fb4a8c3bd7626be08a9b702ee290
SHA15d7e87fa58bd57f002a9132b4768ac3eaafa699c
SHA2564338ca819aadb89fc4b7c57e41dad53b021a60f447981b156bdc4805fc88df15
SHA5128ad4848d793230ac7fc32ef031e2004bb942efbec3120f1ef26b4eb5c8bf980a22fb2e838821ead945adb0d8dab96a4a6cd9d4399417c7ec08e310965ffbf8cb
-
Filesize
5KB
MD53aebf204ddd3c81eb84c783f36871eca
SHA1b0f4e1ff5eb128ceb1722a37dd02d5e331099b90
SHA256655d03d413b2d1706e5c7e56a7cd749262944f8ca6a11368ec3874cfd4690e69
SHA512a502e039fb738621f3c961c4649700ddebdaf20186e8516170dc8b506030b4a19331341412bee9bae5b54636761593c4e0b2924b73de6f26663245343170ff54
-
Filesize
2KB
MD56c38709f2b92b4197d45f6df3df81cb9
SHA192d1adb3512f085dba8c03ea68d926704ebbbda3
SHA256d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a
SHA5123cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9
-
Filesize
16KB
MD5e6501a6657e9bf1b1fcf9d797e88aac3
SHA1b3903ef2c891fc69bc67653664cd34160baf9207
SHA256b1108e28b1ae53228dd8785d6a6e3e9a201d6c55b82c953496d78eabfeb4d521
SHA512bbaf52b9a3ca998faa8ee72456d1878b0085253a352cb2da4e6f3800e38ca7f52393a3d965d5d3b6f974f403ebb078434ce0584131557b8579dcedea853319ca
-
Filesize
262KB
MD5b04d3dd2acdd52329e057f6b897cb141
SHA1d5d61dafa5a266ea12c2af8c8e065d7120cd3dd1
SHA256b037835c273dec8e26a8f7cd2636d8ec9a063ff1b7fee7050aa33c0c3941dcc1
SHA512f7cbd393f6026e880f4894448c1090dfcdd1919a0c800f3a0160b535fdb0f600b76defa1ae54b542a3db3499489135912d22146974b747a1fa2105f55da78ff8
-
Filesize
257KB
MD5915769e90f9f1e12f499cca0fcad1a25
SHA1ecf1113642d8ad949840980e9fcd4ce7c173a773
SHA25612e6ed544cc47535ba45a768032b2d82c698edb5432ac80bed32f8ed1b2e16b4
SHA512206f1c033ad77cd1200dfba3667c312b0611a8e715b7f82b77cabe3904713bff5b99400ebe98553341a1c5ebf3c1d44dc6172a5c58355b844f570b563391fb8f
-
Filesize
263KB
MD588250f0fe809677c4458fd1da44daf27
SHA1152ce7599bb1f894cb5f6ef357d6548c65e0a9d8
SHA256847f223e0bef71522ef86b04244355e132346bc9e16f35469028ed5bef8b752a
SHA5129b42a76439a4767df72cca2b1e7ca9f69ae29262458b612ad6a025176439f9bc59041d6af10175b9ef9e4ce62fcc48e26612c63769fd8b895ad8766fe7969293
-
Filesize
293KB
MD574bec201464579d000c6a4517ff2726b
SHA1dbac74f724eff079d89f3d509feebdf045b42f01
SHA256177dfec292b8967c46c815aab94d92c84019665ce278a35954abd2bf37435dc3
SHA512ff58a723ad53de3150cfdff110cd2ba6937a85bff86feb5b9c05316af3ea14562b749fd89c800f4a600942e41b3738aa9b1fe4d5d6e5bf3e80f69ff93e1199de
-
Filesize
91KB
MD5396bacda529033a6dcbe8564bccc4f0f
SHA12674fadf8afdd671c4fc3cd3e00a81582c0b7dca
SHA256a73bf25efcfcd39b2f04d80ebc794f0dfe6ebc7860d0717e2aebd98fbcdc95e1
SHA512cecca275f29c202cfd15a1e5def6d26a8def46b243065a9ea751f49683b35c7a59033a616fdfb787362f8a5a7c79d71f5dd5461ab7bc0fcb5bd1a45628d32d34
-
Filesize
88KB
MD5cb0c8412ad7cf4d6be83cc8c63e1682e
SHA185ffcd7fffa1fc4ed3676ef4d848189cdf3f5aa0
SHA256d4065571f93488643e1cbe9584d0668e2a5b4f2a7e025ed6df220beb0cfa98da
SHA512fccd6ac44642be103042dcee88562812c9b748a064ae17ae1daf1e700b78cfe05264f47e86696e8b8c4d29d37ba178f12b105cba72a8118b035552ba0d9ca22e
-
Filesize
7KB
MD56fbce802c0533c9731180bb8fd8c011b
SHA181782acdc8236387b695aab69ec9349ceadd113f
SHA256aec392b14f17f3764ca31d8bbe3259a424c7464e9d0493a61fb03b342ad35e00
SHA51214a9dc784ca1d25b744c877bb1b16e7afbe19c21d39cd6815399329d521a03f7295ff9044acff63317566dcc29397ac86625c7d523a8a16ed001a6a01683b77d
-
Filesize
8KB
MD5ece9d8c4081b66e657d4133413af1a75
SHA1aa4ebdec2e0365ebf78c4d229c40e310f6e72e6c
SHA256e44b90dc72c0450254cc27a27f1076b4bda924027415b6f17c66271849d1dc3b
SHA5126cf52be65d2eafed4a58ebe623eca96455a2b64f2c5a960a59b24ae268ef5fb493b54694e67bee93fabb6c6741a508c5173d46fe4a2b6031032f309bdf55e6f5
-
Filesize
12KB
MD58354305d8eaa25d52b187dd003e0e9c9
SHA197fb04bc0b5eec141985771bcb6067752508e975
SHA256fe194e0ea976ec140e45b4d61f6edb3d3d5ae0fb64166de28646ae5c28efbc50
SHA512ef8e1249eb3b25110858d39b3d95f9fef74cd2e75783494ae14dd6732adec26fb0d00369717fc2911bb6bbcc961a2e5bbd375104b9c1e05054bc939f483c0542
-
Filesize
1.2MB
MD56ae5c56a5d102ec7bf4d9bb58513de7d
SHA113c837fbe56c46c679e39bea8b278ed3845f9927
SHA256ae77bcd89b6b15285ee4f46584098846cb21b31d63e0ff1105027c67783b8d2d
SHA512c4eaf07a9d3c4463a61dc4c1787120805cdf6bbcf77b6720c9194635658dc924ab139e77d3adff895a6e01d3bca542ce1f52b8736d40e6681db07cb965c9264d
-
Filesize
1.7MB
MD5c3561c4c5724ed9eb2bc9f24bdc16c05
SHA16171fef99b0a2f0f1906b0020153acf91e3844b1
SHA25662e6aef6e9980ee08f16d903c6b5d482080f4a7ecf4747731a5c2947ebbee819
SHA512b46fbc17a4ee09b532d1c4ab3ddf757906b3facf263e9b77fb116401e3938bab2b5868de2df392e4585c852a97cb7b28fbb8c5cb72a549184b847884ea6e651f
-
Filesize
1.3MB
MD53c7181657ae29aac36879ec41388fc6d
SHA1b0d0f9d395961cd493ee65a06bb3a3f0adb7f76b
SHA25615b908f4ec08b219fa0d9d19c2ddbfb6b31463d16c5db6c826a85f3933876ce5
SHA5128d8748404c4b4150f0c0dd1a575eae38506cd92bcd64419f762305687dc24779ceaf03dc48a44b300fee082f3749b4f6f49c9db90771e8337f73c3605df8f264
-
Filesize
1.2MB
MD5859b59b668fa5ecab5044dc0d0081fbc
SHA1f9e7bab0b964bac3d6a47631d568a43540350e1c
SHA256bb8fd6b650545037b74abd8d43af29f41ecc1b10da976844cc169143f69c02b8
SHA512ad0e17253b39a4d5bf977f169adef17aa3173e797e02e2cdec900bb9d789e29b1d4da0992ec48b31e32d6b24bf37144ac5700ab23a254389e75a3ed307b7b246
-
Filesize
1.2MB
MD5988e8aab7ca85d9be170c4b3870b464d
SHA1268dfc1541476583f262bc8c37ec1472a108fa05
SHA2565c03258d29cc5fff143f4c4cc3222d4d55b76cee85c33ef1cd10c250431d11aa
SHA512336598e9660b6a923ce3a201300da4db4b4aac962f412c6b08235fd15366300894916b3b787d12ba3b07d7397ee61d9179d0265c73179c25eed74e3bc15428b2
-
Filesize
1.5MB
MD52e5bb2813e8d3a7eb547417bb9275afc
SHA17446b691cccf778e6ad0424bd08eb6f642cee3c1
SHA256eac564801eee1523d2c039b35f7633d90c8038c7eba61eb329fb21d4855f7b95
SHA51272c873a6066557b9ed58de1875f299b39ebf38df14df221f11589165292d86ab2d87e4f465b79f780ef2077e426a06425edd496f01ca0d8467ea2a8eb4b42f08
-
Filesize
1.3MB
MD5a9c9f0bbd66623d1e26838fc7ff88317
SHA1f1d92b3844f634b913d3bc1bf40a4c95697723b2
SHA2565795a4c63f88ec508e95c6521c464db52efbdabab6bce49eba585e066a72536a
SHA51255945f90b5ddca2d275436cb3fbabb5ea9ce3263cf56ef2dbdec8957e0b329fb711d4ded02bcbbfa2f75629544d9b08fe6d9055ee43bc015faeac86606536060
-
Filesize
1.4MB
MD5407f163b276c836646d462043f6476b0
SHA18659e27668b5c6be497865f6d341c1e97f07de01
SHA256fb022c145f02b00f40c2c2b029583282663b6973ba4d96997cb51ac703abc4ce
SHA51262cf133eca4345c3a1f52c2eac1d1a644a3ad0343c253bf676ddd2be010d2604df166f56cfa376b75d7c89fa61cc3b9daffc08f4ebd2d1fe6e4994a259ff52b6
-
Filesize
1.8MB
MD5e815114ffab7e6754408c60762ad84d2
SHA195881ab60a0be3196c8bf255a451f90cff0d7164
SHA2562757ff02eaba27006bfc3d9f5dc9a9c5b9f4c74b0c68bd84ceec430de620934a
SHA5123edf0322bd42fdf8077afa2bc58919ee3d87b9ffc476cb425235cbc4645c84d49d62b1aaf6a405b9dda802ea49d4871928a03a962f9cb410a0b08443634b2e81
-
Filesize
1.4MB
MD5870dcdcd597f12666e54e339b3c47b6e
SHA1eae21475b36d1228dfd6350d82e28f72f17144e5
SHA256a6f121df81584c990ca53381df1a736a00e6669e3cc071f1a69b80ba96a95c7a
SHA5125aeefc4a8ebfdf34002bc3da1e42b6e063a5459f24b871020a30d0f80665a2f1774eb7f4f92189382a77f84308da35d8464fc85963ec13dd34a8a2a05cdc4b26
-
Filesize
1.5MB
MD5835e10afb2d098ad81a9d29f1660e68a
SHA10ef5a2af708872f5ac1dd031df807750f28dbf0a
SHA2569b5f4ab6b7f9ccca6973f72707dc0b5f2fa02673ec8247913d2991d661296cca
SHA5126939c68422d750cb92fdb51e18ad2acb2f4b5cd405a63ae0d56ff3a1b5c4b7fce190a8be7d912f898dc67846aa56a25e09e121a870f3c93f92cf0db32d4756e3
-
Filesize
2.0MB
MD5eac2e971e4094aaea6e042d130fe9853
SHA1fa15005900836cff6e53731f848dfde1ca2939e4
SHA256a5a89951c0726092064646f019d033f551e8cda007c5b5253056376f0e3e83bc
SHA512df8a8700ed6d8c999d18c17a9e0fe8174ebf9c811a84fec5870e8fb02dbd8621ae0a9399560553ad7ae317ebad15a590a64bbae89b45e4677a0b66c14c6eeda1
-
Filesize
1.3MB
MD5a314d497ec2dd5920c8ac42562973368
SHA16184578515c4846519b1aa1c818422d8c325d3be
SHA256399e150715b3fa610795fcd3515287c985916b36dfea728a7287d009336653d4
SHA512fe0bdf02ebb5a66e9da7b315dfe58fe4381027a7843bda6459382533d60cda3dd675fca75275ac36f0cec59cd56921269c219b6336cd0e07fb9aedc684195e0c
-
Filesize
1.3MB
MD5dac25e4e58e41fa0f6053c1c1f0c8cdd
SHA15c3a018c9ffa8387ecb031e15603cd334a5a7521
SHA256df0095cecb563d47a37fe00a60fdeaa1591ad6b26aaac148c60a328826957257
SHA5120112ce1f3f93494295c51b95ffd40c4c515b3439b395ce0ca4ae3d9438bd5df47774afbec3e0a185690a24e35fa1c2500998dd4d6ecfd7ddffdefe615e690d7f
-
Filesize
1.2MB
MD59cd33ea27a21601b94d032454375794c
SHA19c10b77fc8f2b1d83f968104e06577579ffc5093
SHA256b387e91dd7b11b9f861492d160243cd7e28294de016a7092811eed5042c8387f
SHA51207a6f72afbbc21d3d72d803788a71eaa563c4bba55d0853d32e6c3da6e2d495b64509a2f5ebaa0ce18c99a4d02245e2c5a4ba52443b92318b4fc678b7f26020c
-
Filesize
1.3MB
MD554903542cde526adea0385ee365bab43
SHA185ed586001b131a0e8b091e703adbc573c13f6a2
SHA256e1dd347ca1b71a892d10ae2348944876e07610f0d3a1b71e4aa96bab985e6b60
SHA512810d3dc1ab95fd7f05a429906db2143c6155c28b02170fb7d1f1e68c705acdb48ffd1b6f53266c3ed1430103172485a0233583c44b44cff723e1faa6b1b86a42
-
Filesize
1.4MB
MD50dc1ecb35b4985da5af8c5fe98dc3b0f
SHA18f67b11a9c601640eef366a567509909c9b51b0a
SHA256cc1a386e572d77606ae1e613afe92fd0e0e6650c5359f8349126f91250e3fae9
SHA512f5cbbe764cd813fe89aa840f9cf6193749452e7a508b0cebde026db5d02439c80a96960eeb15c7bd77e79eda00931bbe1facbf95df0b608d5420d07b49ac12ed
-
Filesize
2.1MB
MD5f6bdd101aa5ca4f6ddf932810d008a07
SHA1d4dfe6da9c4949be5311726fb57f6c9eae50a09b
SHA2562718d4f095d40ac1e1b69fb2011c8c90565eaa13e8e6f4af7e4aeeab5e363d05
SHA512b2423e71403bb7488d85d27a5b5629d1b7ee20ba2dcdfaa4cb4c9b546ae2e8ad0ab1d7a9f351fa45c125ce950ced45afa8566c553ecedd2db87cc789b3d80f3c
-
Filesize
40B
MD58323eb783d4b3475bc1107f7b22fe30a
SHA18b61ba2d4ceddcce64913e45b0b3aaedba641153
SHA256b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4
SHA512a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972
-
Filesize
1.3MB
MD52a3800ec8276fbd2d1b66220c21ab8d8
SHA1fda44e72b7e5f68bbe7c6672cc9f16f86f0e776e
SHA2565057316c9f6fd55e5678e7e8a628b3321803c145476bcfe1c8bedd10e9b80249
SHA51244e43d7c9ecaeb437b20a7f00257e7d0293ce1e3c89c80143e791255d4d0708794f5e6661aebc93a4f0b4b9d617c36d67b6ee5baf369c1a3bd90bd5a58e28efb
-
Filesize
1.5MB
MD5b29860be17d4d718f16ed2446e4af7a0
SHA1d9dcd614541341dfbc90a6c7c5f17c2f2ba7f337
SHA256ddbf2c8c9ada3238fe85339636f058279272cd386d78275e71f62a059a3d72ad
SHA512904fed7bd46a4cbdfd6cd7460255ac47d795492240dada14536974798b7053271f9701287e0439038531de0c5911604033073969ef00f2cdd52dce483e873159
-
Filesize
1.2MB
MD5008b9a58186fb6196df59a0543f82eaa
SHA14b824c123cb310274454c9c13e8bb3ba76e47a56
SHA2560e1fae3780d6d8078fd4291f0b496f160a07b5ac2d75aed4e0ce8b7a40ba101f
SHA5123afdad677057436ddf9d1de61ab100771fa05ae9a1da2b7b4ecaff54525db2a0f498b03755431b3ab811c1c5bb11c34bdebd6e698ea69903e806b4b836405eb8
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e