Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 15:11
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe
-
Size
5.5MB
-
MD5
97d1f96c53654646b5bf3bb5cd1889ef
-
SHA1
ad19c10bd9acf1f7824f263bde5c9857be0e37e1
-
SHA256
1d808afe7bb3904ec9f9280d219f095bf544d28777b4ac98e4c7592826fef551
-
SHA512
565650a2c86f6751996b2ef3e830e129628b218c05fa2edaeb527edfbc62cbe6d5ff23dbddc4e0d704658bb013cb32b50db6c7772b41487879b1338249a4ddc0
-
SSDEEP
49152:NEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfG:xAI5pAdVJn9tbnR1VgBVm465tUV
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 4528 alg.exe 2628 DiagnosticsHub.StandardCollector.Service.exe 2204 fxssvc.exe 940 elevation_service.exe 3992 elevation_service.exe 548 maintenanceservice.exe 2128 msdtc.exe 4388 OSE.EXE 1252 PerceptionSimulationService.exe 3984 perfhost.exe 1012 locator.exe 2580 SensorDataService.exe 2192 snmptrap.exe 4336 spectrum.exe 8 ssh-agent.exe 216 TieringEngineService.exe 3484 AgentService.exe 2612 vds.exe 4848 vssvc.exe 388 wbengine.exe 2184 WmiApSrv.exe 316 SearchIndexer.exe 5536 chrmstp.exe 5608 chrmstp.exe 5812 chrmstp.exe 5800 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\5f6e1896293b476c.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zG.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085306e2effb4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cef3b02effb4da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005141bf2effb4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e26a882effb4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008179513bffb4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ecba92effb4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ddd343bffb4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618147036816595" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8df9d2effb4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 5024 chrome.exe 5024 chrome.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 3692 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 2628 DiagnosticsHub.StandardCollector.Service.exe 2628 DiagnosticsHub.StandardCollector.Service.exe 2628 DiagnosticsHub.StandardCollector.Service.exe 2628 DiagnosticsHub.StandardCollector.Service.exe 2628 DiagnosticsHub.StandardCollector.Service.exe 2628 DiagnosticsHub.StandardCollector.Service.exe 2628 DiagnosticsHub.StandardCollector.Service.exe 5424 chrome.exe 5424 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 5024 chrome.exe 5024 chrome.exe 5024 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4856 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe Token: SeAuditPrivilege 2204 fxssvc.exe Token: SeRestorePrivilege 216 TieringEngineService.exe Token: SeManageVolumePrivilege 216 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3484 AgentService.exe Token: SeBackupPrivilege 4848 vssvc.exe Token: SeRestorePrivilege 4848 vssvc.exe Token: SeAuditPrivilege 4848 vssvc.exe Token: SeBackupPrivilege 388 wbengine.exe Token: SeRestorePrivilege 388 wbengine.exe Token: SeSecurityPrivilege 388 wbengine.exe Token: 33 316 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 316 SearchIndexer.exe Token: SeShutdownPrivilege 5024 chrome.exe Token: SeCreatePagefilePrivilege 5024 chrome.exe Token: SeShutdownPrivilege 5024 chrome.exe Token: SeCreatePagefilePrivilege 5024 chrome.exe Token: SeShutdownPrivilege 5024 chrome.exe Token: SeCreatePagefilePrivilege 5024 chrome.exe Token: SeShutdownPrivilege 5024 chrome.exe Token: SeCreatePagefilePrivilege 5024 chrome.exe Token: SeShutdownPrivilege 5024 chrome.exe Token: SeCreatePagefilePrivilege 5024 chrome.exe Token: SeShutdownPrivilege 5024 chrome.exe Token: SeCreatePagefilePrivilege 5024 chrome.exe Token: SeShutdownPrivilege 5024 chrome.exe Token: SeCreatePagefilePrivilege 5024 chrome.exe Token: SeShutdownPrivilege 5024 chrome.exe Token: SeCreatePagefilePrivilege 5024 chrome.exe Token: SeShutdownPrivilege 5024 chrome.exe Token: SeCreatePagefilePrivilege 5024 chrome.exe Token: SeShutdownPrivilege 5024 chrome.exe Token: SeCreatePagefilePrivilege 5024 chrome.exe Token: SeShutdownPrivilege 5024 chrome.exe Token: SeCreatePagefilePrivilege 5024 chrome.exe Token: SeShutdownPrivilege 5024 chrome.exe Token: SeCreatePagefilePrivilege 5024 chrome.exe Token: SeShutdownPrivilege 5024 chrome.exe Token: SeCreatePagefilePrivilege 5024 chrome.exe Token: SeShutdownPrivilege 5024 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 5024 chrome.exe 5024 chrome.exe 5024 chrome.exe 5812 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4856 wrote to memory of 3692 4856 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 83 PID 4856 wrote to memory of 3692 4856 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 83 PID 4856 wrote to memory of 5024 4856 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 85 PID 4856 wrote to memory of 5024 4856 2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe 85 PID 5024 wrote to memory of 1904 5024 chrome.exe 86 PID 5024 wrote to memory of 1904 5024 chrome.exe 86 PID 316 wrote to memory of 3940 316 SearchIndexer.exe 112 PID 316 wrote to memory of 3940 316 SearchIndexer.exe 112 PID 316 wrote to memory of 4124 316 SearchIndexer.exe 113 PID 316 wrote to memory of 4124 316 SearchIndexer.exe 113 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 3708 5024 chrome.exe 114 PID 5024 wrote to memory of 1544 5024 chrome.exe 115 PID 5024 wrote to memory of 1544 5024 chrome.exe 115 PID 5024 wrote to memory of 5008 5024 chrome.exe 116 PID 5024 wrote to memory of 5008 5024 chrome.exe 116 PID 5024 wrote to memory of 5008 5024 chrome.exe 116 PID 5024 wrote to memory of 5008 5024 chrome.exe 116 PID 5024 wrote to memory of 5008 5024 chrome.exe 116 PID 5024 wrote to memory of 5008 5024 chrome.exe 116 PID 5024 wrote to memory of 5008 5024 chrome.exe 116 PID 5024 wrote to memory of 5008 5024 chrome.exe 116 PID 5024 wrote to memory of 5008 5024 chrome.exe 116 PID 5024 wrote to memory of 5008 5024 chrome.exe 116 PID 5024 wrote to memory of 5008 5024 chrome.exe 116 PID 5024 wrote to memory of 5008 5024 chrome.exe 116 PID 5024 wrote to memory of 5008 5024 chrome.exe 116 PID 5024 wrote to memory of 5008 5024 chrome.exe 116 PID 5024 wrote to memory of 5008 5024 chrome.exe 116 PID 5024 wrote to memory of 5008 5024 chrome.exe 116 PID 5024 wrote to memory of 5008 5024 chrome.exe 116 PID 5024 wrote to memory of 5008 5024 chrome.exe 116 PID 5024 wrote to memory of 5008 5024 chrome.exe 116 PID 5024 wrote to memory of 5008 5024 chrome.exe 116 PID 5024 wrote to memory of 5008 5024 chrome.exe 116 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3692
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff9f20ab58,0x7fff9f20ab68,0x7fff9f20ab783⤵PID:1904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:23⤵PID:3708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:83⤵PID:1544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:83⤵PID:5008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2896 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:13⤵PID:3196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2908 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:13⤵PID:2812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4248 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:13⤵PID:5304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4408 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:83⤵PID:5452
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:83⤵PID:5472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:83⤵PID:6052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:83⤵PID:444
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5536 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5608
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5812 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5800
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:83⤵PID:5568
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5424
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:4528
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2628
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:5060
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:940
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3992
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:548
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2128
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4388
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1252
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3984
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1012
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2580
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2192
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4336
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:8
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5004
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:216
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3484
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2612
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:388
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2184
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3940
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:4124
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD523a36da077ae5df0642ffe349264aaa1
SHA11d43a8546595613b0d60274989d4f02dcaee4053
SHA2569d91e70183e24240bc1d45f7f821dcef61c04a9890568fe477a4b4c55a38758d
SHA5122b27cf63e9197f0945952f1a73375f6d2c05762c2e9f719a8366cdb172013c2cdf332dbb5591954d0ef3f0e8844cbfa13e9477cb9f271588662a1069d1dcbc7a
-
Filesize
797KB
MD5c959bc20c705f9077a1faef1ad6dbee9
SHA1a7fde4d696cb106c995acca58c98b84ff09b1893
SHA25623529a84f5f207c27b17f3831edad0a543282aa448cb0fcbe721fca7c3bc0d57
SHA512f91b57402192faaf19716cd7e6bac5dac935683d5acb2fd516c0ca3f7befd1534c301175cd03d66b80da536e28001d8f9e0e02d15a5cc14d4f7bca99718ea889
-
Filesize
1.1MB
MD5b2bfd33023e9cecf2ccc60f1ff4f52a2
SHA165732597ebcb937789732492b45b9228403d8c8f
SHA256254e739cc9cf79e6758556b5cc25ecfe514ec415ad2b6a5bbb5117d0efaa35b3
SHA512dadebe504b3ad042365f4333e2286a4f461854ed840c9488cd7b4da20eb6f1185ccbf253b05301a7ddbb5f9a07a8aecfabaf39a2a629b15dbd0c422d5746e456
-
Filesize
1.5MB
MD57218c9382ebbdd7edc4810450c5a16fb
SHA17d3e942597a460d77a1db4dc225c0903536b50b7
SHA256650ab61ed139b69495893eae4a876c8017a42571231ca70f3d1a07051c762064
SHA512f5b76cdbed6f9c3a066b639a3f1679949d3ab01338eb3ef304d7dc5faf581d212933a1b27c2ea78bb39ef0e782f0aff4d4ea03b8fc7ce04c486ad67588cd426e
-
Filesize
1.2MB
MD5c1b9e50aa1a6db4f60a28c75e8c7017a
SHA161378341c8cc94a43b3e27743089607dd36be0af
SHA2567f85866c8cc0d4a4f69d035bbf01c9b62c6e5ef34ca26ef6417d9182804cd77c
SHA512820c4cfa486ecd62f3e97ce71fd87d188f56a5a592b3165b10519c68c9a12c9d02d1a6d5d141cf0894628d47965d0b2dec8cf96ab0a4fd6f9f29281a0ecd8c8d
-
Filesize
582KB
MD59f0d3e7e6cc4a254b1aad3d4cec2c033
SHA14afb3dfe83a8592678b5a7c504177f906f6adc61
SHA25670de2b7b6a67b832f806abebb42187831c2e456be1c41abd9c404cff16c9773a
SHA512d4447e1a50fbf4c31476575e14da32507851ee9eb055ee3c582a39f1a60b02908e5352371e17a36fac28fc1142ec303074393ac0412db6dff641c4b21cbc97ea
-
Filesize
840KB
MD57ba2e3c352656116f1e119fd492a3cb3
SHA1eca1e5bc6a5d85de393d9fc72e7d9f57043c056b
SHA256a65a702fd528b7ab8d3dc9f4795549fc7e812124c672794a28b3878a719bbe7d
SHA512bb934c96f97ccd3be331a7cf6f71c2cd37946cedc25991380ea7b0e9ac4248294d13e9ffb25de3dae25d4a746c1f365f6e2bc1f4ab8a59b000129bff8a0be333
-
Filesize
4.6MB
MD5c42ca6f9c1fd91a5e88a82cb54068a5e
SHA12e09fdf3a63cf5f47dd430e40c72adb25e400f96
SHA2569aef9106d6c2d5b49896692155a6f35648f13719686deacee1b0b579baf15502
SHA512c8d127f3cec09450b4c392a76d5c8506aa84908f02b78a8e451b87c7a19ad99f30ff5f23eeb86c111523ed5ab0ad330824c0ca50fe029897211098a0786600b7
-
Filesize
910KB
MD57c68be008309b9ebf0a4dabca02b22cf
SHA17a08914bb7fd7051003a8bf08f509a9479076135
SHA2569c12531c6159feee3b79b6105eaf3717054143f08a831e477bdebdc5114cb850
SHA512a1a06afd395352e26328e82d49ecd5c0a378cec77e815b87f10d5ec43bec67ef11ea8cc730dccc61fcd62bd23df0cca66c12e34a2279dadb0c85b23907ca62f1
-
Filesize
24.0MB
MD5f86e710cebb888d3ab0801ea50fbde9b
SHA1576ec57e180099562ae25fd6bc490b7562128a49
SHA2561afdd6315397f0082a77d5a953cee73f664dc926b3ea2d1964b167044106d493
SHA5125817dc3145cab02bc525a263f89d76e731f496ea5ffac5dd3b0f4dad7740424ac75da31b391d957a7b8eab8b122abd981eea1f9f8b9ed8efbe3b93c6136d191e
-
Filesize
2.7MB
MD564b1e722d325913c90d1efe56d3f6d6e
SHA165095c059fe7c730d502a57b22e0e5423da96e22
SHA256184ef85384b4e632616a0f9f3fa6b0f1f7c17a06745d0d7e9d8d84f11973df2c
SHA5128c68791f680b7f8faa7dba1ba4e62ce370a9913447b3912a375837398ed7aa386b9c6c8ef8ae2a8ffb5eedad6d3b9b681b2240246700fc92eb941f19a99d4229
-
Filesize
1.1MB
MD55c9787687893805a183e9afed994b4b8
SHA14413506677e8cfa119aa689a972d3036edffe6f0
SHA256b381b5ab203da4bae44ecdd8b99920a02deef02b75fa0f10b2ffe78c858cc4e6
SHA512a715867aa8b357d1d6322f73bc9e313cb28cdddf779d10cca683efffb2e38f73a30d58150308fd283e9be0d6f81f3d1ab2e7a871df4ce1f995b088d16bf40a2a
-
Filesize
805KB
MD5a72e632427a141a3fc12651be5306ae1
SHA1e57479d168b2957ed547f275be3c41b581808a21
SHA25682527d55dcbbad9e89ff4b9b786ef1bd3529b7a8b1ab2c580f1a502e59606d4d
SHA512a69cb96981e3166fd7bca66f6303a845ff980cc8d8baf81820338feab12a33a8d576860868e0290f2e89600b9df32fdc7ffef2f9ec75521d5711df987ca98acd
-
Filesize
656KB
MD58fca91fcd0c26339e12e06616d8faf30
SHA1189b7a83cf742757ce94f02354bd29f3dd490a49
SHA2560186b2a25ee5a1dad093f812ae0339e4bfbaa602405ef85a9e7d47bb79b366d5
SHA512ccf1999e5e2e4c851e5e2e5c6ce0500fda7400c02e16e3e00c783a2a0cb6fd59217f097c49d8d631abe3fcfd8323d5abca824ed79fce38bcbaddc5cbb9c3725c
-
Filesize
5.4MB
MD5481dc98abd74a4c44b50bf6cad7621f1
SHA1130418530f5bee022161407085987b80a7ab0d05
SHA256b078dda553c15c6087a1b2ce37bea54c460cf8b71bce86e329cbce395b20341b
SHA5127820d48083276bf48ae1c4867fcb9ac6ed6679e80e2c532931a779138e466a22704fee71a7af263391e6b3bf513e554c8ee0d1334535d912de90e70045d210ec
-
Filesize
2.0MB
MD518afa065ad42a92f7b0549d8ac6dbcb8
SHA161475cac54904177ac69975f586322f78d47a1a7
SHA25696e5078dc04b9f19738a5f6f10bc908f29b61590d20cf84fb618c99a021e2f6a
SHA5120a3e403af446b5da91d0fcc2d7adab2e2164ceec2f6888645e6ce95612a32e3264daa9eda0a3a1e3c15a4297ca625cab30e5dd7a9a3943b6c1de52166baf9cfa
-
Filesize
2.2MB
MD59db9f39b04e421e4f846c7a0dabb328a
SHA165e248a451909f76774ee0339f721b10f4e3d8b4
SHA256d4c46735bb65364d49ceca28ac3aa103dfe1bc7bb329715aec07919368d06e35
SHA512b53701cce9b4594c3b538c83f8e4da29bd1d4b95107e6345d8b990f703666525b115727681a37750045447da15831e19945215129e91d52e001464df2de870b8
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD559a8d391d358f4ff3b74747107161818
SHA162e43ef88930d24df4fa4a7b8526c78105074dab
SHA256e62eb905335fb0a4220a4cb07093db6c571181a6138dbfca5c65822e048c2dd7
SHA5127def566e97a8443eba5b6ae559c41da87452699143bc3d08517700d87b704173fee1e3c79aacb5c6f3cccdaacad5a0901b7bde00f71b8c2baf530d5fca2439ba
-
Filesize
701KB
MD5d7d96d98f71e8309771ffe4fe6e6d6d8
SHA1c2c4f1e9ba805b3c42b4c86cfe34c3e3a408c68e
SHA2565e2b3d74e4ca5e0158b4c82d29ec2f76caa6058a27f9889950018a21502ae1d4
SHA5126d0050539d650d258845abcebd13cdea31f5c43a395a873976dc0e4a72c70db20d4e2de451e88b2ae4844ed5eb65f98dee4a401175a0fe427f498018ffaa2052
-
Filesize
40B
MD523e6ef5a90e33c22bae14f76f2684f3a
SHA177c72b67f257c2dde499789fd62a0dc0503f3f21
SHA25662d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790
SHA51223be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD5abf1dafc080d56e6ec70ace791c4606f
SHA1088355b41dedc40878e0fd1c26eb12adf22cb947
SHA256f559071eaf0075f2fbbf031067b55001adbc95f85aa3f63924f2b87c5f60fce6
SHA512bc001fd4849c9c090aadf62bcf1f65bc109807cfe439b8184021ae0f541997505c0c614112fdc2352f5ed91d985cea27980b24d978866356ab53752ed6fab230
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD55cfde5a28427862bb9eee808cc84154c
SHA185343cb4a7f94d7e4b9438296b04d3655996d886
SHA2565cbed3a394cc94b07882a3d90df5f15d0d587af6da320bd41bb109e784fe6a85
SHA512ccf486f1233f701d4e99f7dc3e302a6ad53f73203e184e11b6642f715f690d4c86c737975a8377a14ed68697323014fd476ba32afe4294e6e29033f8401e39f3
-
Filesize
5KB
MD5362167aadd67e9fb843cb2a4311927ad
SHA1b6e5ce78a51e246d8c3c2212695287ae0b5b29ec
SHA256611548ee7a782e65227b4d30e6bb368ed107c706872ebd25a53662eaad003140
SHA51239cb60a613138e01dff750a944250535ca2c9098829e704f4627797b507d7b08043038ea9908f5a2ab226a0314ee7eddbc80b3d8f450156a524a5c462401508a
-
Filesize
2KB
MD58441fa327ce1f6c12f371a1535e655be
SHA17ccca62179f1eb9a2d47c3886ad8ad4bf5b15071
SHA256975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158
SHA512986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4
-
Filesize
16KB
MD5f103a8a6c55ba79329f040edab716f3d
SHA1e21c544aa8999079a6294959fa5829de3838e92f
SHA256780579f5d671a7f413b91f31b1e806b8fee039251f9a0d8db6471abde95fb4c8
SHA51206fcb482774fbb168ee4455b3f1e45398296f10e217f429a105c9532a899810750d2bc7b1470f4697b4338d64e87bf070943c310fb6304d0a76da4569de152a7
-
Filesize
261KB
MD557f4fd5c3bef216c7ac599c47df10e3d
SHA1bf0104fe1f1902fb9e2a89c1c8ab27b7d0e3a5b4
SHA2566c6c7e4719921bc5ec494d83930599240e4b3ee7f712eb6e1884689b1ec800cb
SHA512a170c91bb12a616ff8b967136d1a0ae750e5de186696c0b4e414f480513ef8de1915424e45b2c7c059b87f1f4bf802e455b23a39081809113f5fdef858af4048
-
Filesize
7KB
MD5570b4f79d8484fd41106dc8bfbd2a193
SHA1bc0fe57a61de0b4b855cefda66236ea23ee86292
SHA256dbe279e53833842be47ed85b3bba9a446d9a2665d92b33662ac85f57f2c45ecd
SHA5121a6a4d37562bd80ac01363932df4bf2b578518c6703c9880ad115f0c94799626e13a1d9ea79f295c263721920207f3e6c1d27b433dc73826622a3f656b8e1a27
-
Filesize
8KB
MD56ba47b15c9f703c6f83990dd0a441fcb
SHA1e048dc947e715a0ef06e25f04d299a06804fdcdd
SHA256cc7d066fa793e21ecbfaa4365eb846dcf45ec21d099f2d7d5dfd5b3a1f92bf55
SHA512ed2f38241bbdbda0d1c2ceeb8d2aeee8ea88022b01caa0ffaebd59a3b26ca535dcbc7e0d906fe740985e1ea7f355801c0719e137a8172667e93d53bdfbcda8a2
-
Filesize
12KB
MD584701b9cefde8aa44cfe5b20948e9af7
SHA12eb476290c49d9a440e8eb6a11c2c9f24536936a
SHA256717d34d49887f52d4e6c604620ed943462861dd23f2c83755e2533ccb258b671
SHA512d82eca67ee4bb71a68a60468404ed40f2d85a442b3389a7d40e88d6f0e9b21b533a82562c70640890bec23a580baea894f53aa04c4c900a1524920e993b556c4
-
Filesize
588KB
MD59a64c1047fe0931218bdf117d2bc99fc
SHA1574d6534adeed2be39200bd33234fb972e5eacd9
SHA256d44197d92446c011ce3816fef846230187bb0567d79f7fb43e9b258c1b90dd8d
SHA51234a58647b81aa6575f22ce97ab7249eb5a528e44072fd4c2cfbdb9c1e8f8e5778e7866571d215b66df9a5c85ffddb7ff0c758910f5241ee4f78daeb51a8f070f
-
Filesize
1.7MB
MD5101e1ef0a8e5e594de1550dfa4ef021e
SHA13c119074c23415c9709642c5b208dc725759f218
SHA2569e9c33c393be300b568d72ae9335113538e35b226146943c068e94d3e30904c4
SHA512a74bcc701e7a524f9c222f096fca525af0e883cf6325c6d5884f71cecaa71fb082790cb424239fb03e7ef17d62cb760313cf47a79c6f2ba269f55bdd6a7835f2
-
Filesize
659KB
MD5bb4e076d9586f644de74ed61c20c01e4
SHA1b4d556dadaa6eba19266d7358da590ff54fdcea5
SHA256009ecdd81ae45e124fc1da033e3bf20f48dcc5efca6de95c6ab24b102e581c0e
SHA51298c4e9bd13c552368acf9711dc81f1f17484c14c5a96c5bb7e0f9409c685b4891756f2d62698188d50e59c22635b9bcd22f22550811adb1cfe115fbf14e234af
-
Filesize
1.2MB
MD5ec2c0d0f1f98da8c5570fb2ebbe90ea1
SHA1e3ecc3eec4d3334b7d6058dfd357ad1ae636d059
SHA256df30be53e5a102bfd03a0506eea966f73f896d2f79eecf1fb121e08adb1c5d6b
SHA51242cd78625f69e2ba4e0099a7f41a95b9fdf41cb0721d303ddaf81be7a38eee97b0a1bb786e730e6210745a5bfc44130692b9da349d8d0c8858ce24ef158587fa
-
Filesize
578KB
MD52a124e285434c2f3a18fb302ea5c4f43
SHA14505f1fe061f19a6ea8a98080781e5da1d876371
SHA25637a8683a857c3c1936c5056ae0cc6a838553505f5d6fb3e98879cabd1b6b7cf7
SHA512b776afdb7144e9674f6c1dfd5d858a8ee9ac38462ecd02514fd4631693b6587330c0cf13ce7fa96c13770e8e1aa7b9ccb67863aefcbd5b9331b896ae2c0aa9ce
-
Filesize
940KB
MD52607b28f2be34b34e90a6df1420df910
SHA1a488d9f2b71c5083c5754e0e6bda29e414432026
SHA256866be6a8e16bc1569ba901e6d2384390e76e4f92503b89f7df8f186aedf24e1c
SHA5121fc435100c79ed639c2cec11294b4ec66bc1348e720a6d2cfe65b20147c3477903fbc7654d591c3cdca82197130724f00fec787604e965b2048604ed207e20b1
-
Filesize
671KB
MD53ef9d7e3e6c3eeefdfa95eabb76b40c1
SHA19edcbeb10dfc1741621b8c0168cb470eaa6561e8
SHA2561d34500c8fed2fa113c361ba3ce1cbceba2ac833d588579e8bcbbc00a7b1e558
SHA5121f4918f2803115abb53556119364108e9ab7527babf190a19b8e4923af05a26e22d69cfe6ca8d7599e18dd9bb77e4cf8289c926fcc2656e6a238598c78e4148f
-
Filesize
1.4MB
MD5b70dd13cabbc6cab449f3828cef77f79
SHA154c6457e93f9e96b66e52561e69233a5ad117f94
SHA2568feea69e8ab18d991addcaf76e7a7344510e7b0a53184c5c7065752e69e8a87d
SHA51207aac5e685ab67ca4d748c5bd992f83568f4ef6c08b4cd590ab199c41e44cdb3f7e28643876aedcfcc0c002bb151e24edc4c85919aa53ba0e0624151926d425b
-
Filesize
1.8MB
MD55887260938883ba0f598fe368eb9ab46
SHA11412410091064a353993b4cfe8705ec806e40c30
SHA256585e83bac5797b3d2fabfeef206bdd4dced2e0a3b3a02d372921349e4346f730
SHA512e0c8b363e71dd43960d24783b95d95d6d6db0909464907d3d4ffac925f99ac77cebb2c0604af9fce7ced628cc2136e1306b289e72b44f40a5aba3a4286211165
-
Filesize
1.4MB
MD5dfba2877897fa2f6b48d74b7757dfa04
SHA18e6046efa736d5b13bb7f7cc83cc7a7ecf4ca283
SHA256c9d6400a41ca6c98e0bc11eb184d840b9f1a8052097d01048c517cedc3f237e8
SHA512a81bad31bed4391f04ad70fc0a558dd4e1697a349a28f672e6ef2e274811b1344f8d1878fcbbf8b846d47453650718371670172a62b7b1eddcedc144916d734a
-
Filesize
885KB
MD58886b8931126d9c61374ceb1bde637c2
SHA100382fbc3db8e2235e99693184c64ea28386b1c2
SHA2568c0c3eab025eace40fabffd96ad7a68e256b6aa2c2e9e115f0017627063cd3fe
SHA5122367ddaf528c49a9c0bbc79161b82f447c22247cd89a6c88abe41bd4bf188dad5f028e743aebbe5f7726d15a446488d76ab8fa154e834153382639f5113935ef
-
Filesize
2.0MB
MD58562b9399716be020b74a09b6aa95d3a
SHA1f9445b4c7bc589c63f282ac55347a6d57e9ae251
SHA256067cee21bc6d2274b4d4bac3a0d3959adb05ee70f296fa0875d67815bd27a4f1
SHA51264b9c9ca6882fa5c0f596a11de724139a7bc0089df3a7cc05f740720e0f43d6e953007e08668bf92e0e45c8a386656e77d83ed7fa860e9902239954c01577209
-
Filesize
661KB
MD504209638250833fb9500d8f4e3c6be6d
SHA1dc16933104a4b19a023f44f2b8b2856117ca3860
SHA256c6aad76a242cd9bbca8b3493e3f6d76c368083922c2722b483787f16a22ea47b
SHA5120ac41d287cd4c915f8eaf00070199810d8b0fa912a6750503a4341322e4fd847c448b9c10eede2667f54126af4ee286af5a2c37f747950d87af2ed66a580fbbf
-
Filesize
712KB
MD5f4d1760917ddb61762d44b839b713ecf
SHA145e8d13564c6e8121bc7d4a9e0d4f34f18da495a
SHA256e72d52a179d72c39206c4ad764e134730226f4f89e91ddfd58f5b1ff15722d20
SHA512f6df2ce62775852f053d6f5d32e892a863ff0875e80c5678a511325e7cb9d7e2fa1c81f5c324afd21b9ca0e90ba4f160af8bba8db55f696ff4af60a6f15a966a
-
Filesize
584KB
MD5abad2798ac7b0adfd3bb0704429bc826
SHA13363917f874067c8648eae2d9ec36eb6ffdd8322
SHA2565d0f1c072533f5eaad1fdc6c1fbeb1865818b7acd469bcf7949e5927d7ad3752
SHA512d33bd489b08c72d62b1f05399eac3e86f406ea42d09d4be3b4ae165b82b5c1c712951a122df4ec7aad5c933a9679cbabc09c4143b19cedd878a2952d8f76d453
-
Filesize
1.3MB
MD59882d9a3ae1b410b58d26baed39c7ef5
SHA15518a583b682e50d8a14dae50f98e6e377f55d5b
SHA2560cd4e34806b046ebdf872f3099cf582ebcd182bab86932e3caf3b63e9684cce7
SHA512b6b7f6310f0c9beb424e816cc743bcc5c0c4667896cad68007e74ed608157553c441b633d345fe812b72b71acc366416029c6095736eb860cd46f1090c4e91af
-
Filesize
772KB
MD5e9cb9e6a358d73d693e4b9bd4a970445
SHA11655b7a5a730feb097adbf49a15e65b255f9511b
SHA2561b87616c2cf96f2b7ea6e697d53a532e647571ab1edff832a9630f08bf6b06d9
SHA512cb59bcf529641ac0fe4e1a313cde89ba0a971b6d137ea0f0bd5acf6915a1e5ec7b586fc85444dddbdb82be5664a3ab05e916bae6f020b8b967caf9b850804df8
-
Filesize
2.1MB
MD528826223cccba2bff1d18fd385a0f5eb
SHA1d3b2b49b68773b6eca72faa989fd832cb093458f
SHA25649245461d3cab0238361699ec546d73bfda5cc47bf943e74ded3eedac43b5172
SHA512c4dece6122dce1253519d87dec6a30050d8958e4148644357a707eeddf84bf6f24e2245f8ea05bfc0f3403e603305edc855f09b03f17ee3321d2743e0246b5a6
-
Filesize
40B
MD5440112092893b01f78caecd30d754c2c
SHA1f91512acaa9b371b541b1d6cd789dff5f6501dd3
SHA256fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6
SHA512194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea
-
Filesize
877KB
MD5fda326788b852ea53b536e2141428807
SHA14aeb6a74fe9a2aba1f3a4798c50a1d95faf847a3
SHA256059b85ffca0fc62b288b09329a86a5625321d819c395e2a47cf3eb8b1a83fa39
SHA5127ac1faeec59c06b0e23aac0904a1368f3b044671e2f3d133d0a30dfe7abf580e67fa08b27124f1b21f8963c027009b736b5ab987a5e5b69dbb4398c36c5ac773
-
Filesize
635KB
MD525ea2e7bcba550192ac871527176fd59
SHA1cd969e831190535807cae0597520d26900550b05
SHA256b0b3f6369e48d14d23062043fd43f1c30ffeb048cedb6028c02589281b2d7ac9
SHA512c4cf10529013f22966ad647adeb8d429222d2bd7b4415a688bc04e8531f7bf961afff455d8175293a089c6d72274c2305de5012dfafd3e8136d21bfbedbe32ad