Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 15:12
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe
Resource
win7-20240220-en
General
-
Target
2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe
-
Size
5.5MB
-
MD5
9951d0860f542e282997ba6ec9b2c056
-
SHA1
b8a98349cbb6f6369e7714a6f625e5a08924cf37
-
SHA256
81bb3d06d9eb7ede81e14413b454b06e82c2cf471dfcee3640d3780dcf5f7c17
-
SHA512
5f0ba51aa3765da13b11c51fd0795239cb972530453a97278287b92643038037a0b6462aa9aad9a2016f8110678c9ffcbe7c67249c73dfb06cc4e12185dd2ca7
-
SSDEEP
49152:qEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfC:AAI5pAdVJn9tbnR1VgBVm5C17DVqFJU
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 1252 alg.exe 1952 DiagnosticsHub.StandardCollector.Service.exe 3364 fxssvc.exe 2760 elevation_service.exe 4748 elevation_service.exe 4144 maintenanceservice.exe 1368 msdtc.exe 3052 OSE.EXE 2540 PerceptionSimulationService.exe 3636 perfhost.exe 3700 locator.exe 2588 SensorDataService.exe 4864 snmptrap.exe 2828 spectrum.exe 4556 ssh-agent.exe 3632 TieringEngineService.exe 4588 AgentService.exe 3680 vds.exe 2480 vssvc.exe 3864 wbengine.exe 3668 WmiApSrv.exe 2460 SearchIndexer.exe 5792 chrmstp.exe 6020 chrmstp.exe 6044 chrmstp.exe 5240 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\4bf0d7c0bb5459c0.bin alg.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaws.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000add414bffb4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000482d314bffb4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f7dba4bffb4da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000006cbc84bffb4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099e0bc4bffb4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c52b674bffb4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce526e4bffb4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2664b4bffb4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001fc1614affb4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000523d1c4cffb4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007bfe7d4cffb4da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096c2824cffb4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5db194cffb4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 944 chrome.exe 944 chrome.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 4736 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 944 chrome.exe 944 chrome.exe 5616 chrome.exe 5616 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 944 chrome.exe 944 chrome.exe 944 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3496 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe Token: SeAuditPrivilege 3364 fxssvc.exe Token: SeRestorePrivilege 3632 TieringEngineService.exe Token: SeManageVolumePrivilege 3632 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4588 AgentService.exe Token: SeBackupPrivilege 2480 vssvc.exe Token: SeRestorePrivilege 2480 vssvc.exe Token: SeAuditPrivilege 2480 vssvc.exe Token: SeBackupPrivilege 3864 wbengine.exe Token: SeRestorePrivilege 3864 wbengine.exe Token: SeSecurityPrivilege 3864 wbengine.exe Token: SeShutdownPrivilege 944 chrome.exe Token: SeCreatePagefilePrivilege 944 chrome.exe Token: SeShutdownPrivilege 944 chrome.exe Token: SeCreatePagefilePrivilege 944 chrome.exe Token: 33 2460 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeShutdownPrivilege 944 chrome.exe Token: SeCreatePagefilePrivilege 944 chrome.exe Token: SeShutdownPrivilege 944 chrome.exe Token: SeCreatePagefilePrivilege 944 chrome.exe Token: SeShutdownPrivilege 944 chrome.exe Token: SeCreatePagefilePrivilege 944 chrome.exe Token: SeShutdownPrivilege 944 chrome.exe Token: SeCreatePagefilePrivilege 944 chrome.exe Token: SeShutdownPrivilege 944 chrome.exe Token: SeCreatePagefilePrivilege 944 chrome.exe Token: SeShutdownPrivilege 944 chrome.exe Token: SeCreatePagefilePrivilege 944 chrome.exe Token: SeShutdownPrivilege 944 chrome.exe Token: SeCreatePagefilePrivilege 944 chrome.exe Token: SeShutdownPrivilege 944 chrome.exe Token: SeCreatePagefilePrivilege 944 chrome.exe Token: SeShutdownPrivilege 944 chrome.exe Token: SeCreatePagefilePrivilege 944 chrome.exe Token: SeShutdownPrivilege 944 chrome.exe Token: SeCreatePagefilePrivilege 944 chrome.exe Token: SeShutdownPrivilege 944 chrome.exe Token: SeCreatePagefilePrivilege 944 chrome.exe Token: SeShutdownPrivilege 944 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 944 chrome.exe 944 chrome.exe 944 chrome.exe 6044 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3496 wrote to memory of 4736 3496 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 82 PID 3496 wrote to memory of 4736 3496 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 82 PID 3496 wrote to memory of 944 3496 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 84 PID 3496 wrote to memory of 944 3496 2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe 84 PID 944 wrote to memory of 3724 944 chrome.exe 85 PID 944 wrote to memory of 3724 944 chrome.exe 85 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 4552 944 chrome.exe 109 PID 944 wrote to memory of 1844 944 chrome.exe 110 PID 944 wrote to memory of 1844 944 chrome.exe 110 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 PID 944 wrote to memory of 1804 944 chrome.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Users\Admin\AppData\Local\Temp\2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-02_9951d0860f542e282997ba6ec9b2c056_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2dc,0x2ec,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4736
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe7c45ab58,0x7ffe7c45ab68,0x7ffe7c45ab783⤵PID:3724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1932,i,10678380713198116994,1883454736566303060,131072 /prefetch:23⤵PID:4552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1932,i,10678380713198116994,1883454736566303060,131072 /prefetch:83⤵PID:1844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2184 --field-trial-handle=1932,i,10678380713198116994,1883454736566303060,131072 /prefetch:83⤵PID:1804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1932,i,10678380713198116994,1883454736566303060,131072 /prefetch:13⤵PID:4264
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1932,i,10678380713198116994,1883454736566303060,131072 /prefetch:13⤵PID:740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4328 --field-trial-handle=1932,i,10678380713198116994,1883454736566303060,131072 /prefetch:13⤵PID:5428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4532 --field-trial-handle=1932,i,10678380713198116994,1883454736566303060,131072 /prefetch:83⤵PID:5748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4672 --field-trial-handle=1932,i,10678380713198116994,1883454736566303060,131072 /prefetch:83⤵PID:5788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4416 --field-trial-handle=1932,i,10678380713198116994,1883454736566303060,131072 /prefetch:83⤵PID:5528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1932,i,10678380713198116994,1883454736566303060,131072 /prefetch:83⤵PID:5676
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5792 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:6020
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6044 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5240
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1932,i,10678380713198116994,1883454736566303060,131072 /prefetch:83⤵PID:5924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 --field-trial-handle=1932,i,10678380713198116994,1883454736566303060,131072 /prefetch:83⤵PID:3856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1932,i,10678380713198116994,1883454736566303060,131072 /prefetch:83⤵PID:5772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1932,i,10678380713198116994,1883454736566303060,131072 /prefetch:83⤵PID:5756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 --field-trial-handle=1932,i,10678380713198116994,1883454736566303060,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5616
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1252
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1952
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4860
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3364
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2760
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4748
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4144
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1368
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3052
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2540
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3636
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3700
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2588
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4864
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2828
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3948
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3632
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3680
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3864
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3668
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2460 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5224
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5448
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD569c76156864784aec8f962e6529b9404
SHA146ef325f3ed41c79502e74b6439bcdd80e2d7e40
SHA256ae7276e42b7202786acbd35ceb04933f0053825e72d4b6c4b89b08a38118cf3f
SHA51237e1938a51f73f48a29e420f6115bbdc5d8955244e5ea73bace1f0219f46e6d88c03fd141f02f68724d8617db3836cd46a90647d736dcfa2ddfd6697ad90dd86
-
Filesize
797KB
MD5a6caf37847a8dbe8842cd6d11b829ce9
SHA1aaf7a2efb215704121183f20eece40cf051717ad
SHA256e3f7ad6d337ead4190ef953c7a15f0d485111c09466fc3f2d6a244b66b32dd3b
SHA51269fd540d234452092b518e2dc1cc74bc954c22cd8f281b27c7ee8d9a59372e497a0dc17ced676dbfd464869bbdc67970dca3794db5d15a73cf397ae139042e7c
-
Filesize
1.1MB
MD5e505e5c00d29c50a95dfa9c717f1e3bf
SHA18f70f59cc36d9d338d1ad06393ed04effb828ea2
SHA2566bda9a1e68fab09f9aa43de38d963c7604756cc7bd414e0790bb1885f655065f
SHA51288eb0ee94ccf3a943038d2a6524367e31249c7c069c95abaab0df555f0187a22e2aa0083bcdbbefb849d7cfc7c4d95751d756aac4a0e5435ed2871197111333b
-
Filesize
1.5MB
MD588c163ea2e9d1f5333f65dac6cf90b77
SHA1a0564befa66c007c319d3e03903f71b993c4cd0a
SHA256b8af0a2ca3d26b2a46bfc04767cdbc5c08aaa87155633047185c95668cde1a92
SHA5127dff9bc09c35138a51090c40d32ac3e05975e926f007cd415751b6c4a5fcf45e0522a197c9ed210d3ab640ca4b5cfcc68e99a70f5850a62ddb2ee3078170776b
-
Filesize
1.2MB
MD53de4454ad3e79ff103f6a771e506be74
SHA1177dbedd621d3d3f8287658f28c90c7593e71251
SHA256a819178aa070c8f6952f7517dd3aca253f657dd31cbaa76012eae72bc09a51ef
SHA512efae788f89358b11b5be720e87ef0017719c7fb7efd8b27048f046da18e2f99800160d889d52ba1380b4a2f33707453a66a113828ad62bf647a06453814487b1
-
Filesize
582KB
MD5b0d0ad8f1cccecf9f6ff392c96094159
SHA164a9f4e46db8d110bd9bb7294f701539e48f486e
SHA2566dccddc050bacc608b34f78432fb49b048a58b818bf3e647ed1e8c194fcd1296
SHA5126746e647d99b745715e33f03e1e5b90f4c44ee19fc810b055c589a98bd2bd6d795550b52eb2e296c297ac609e0a1bb1e25544111bc9cb281971ef3d0fa20bf74
-
Filesize
840KB
MD5b362046a485e857bd89da084f22b2353
SHA1da1563bf5197e4c2fcd09ea43e62d5c3451b7e47
SHA25656465992d735091f0101907cd04d1ef27a76ec4d7d5cedaea29cab1c3f185267
SHA5129caeb6435d0b6896f89bda7fa0e7c467525e0be4559dc27705957cc9731987763f365de07ac668ed71d0506692b665c71899cc34aff20c4c5a323d645d714415
-
Filesize
4.6MB
MD5413a1f9de78059ab0bc1c6016a1a0b92
SHA1e18c85a00dd3202091f891affb9fe0b99de6368c
SHA256b2c680c2053b77982bbd5a6bb2d943e62024a184989efb857a9776c582ba5f35
SHA5121e886245d4d13758ebd3ca7ab8a302521a4a1da2ee64c2b9d4d93548488185395030f91f2c55db99609c2980d53b9374d852fb235a7f6029f959cd7d48ad072a
-
Filesize
910KB
MD5db793db7b7ebc265c3afbf9b474dabfd
SHA165dd05ab37aa34a5a1bfb7702141d33d85567d57
SHA2563cb357e844de79b2f2386c6f07d855252e3bb57a70d852506eb4339d19b7484a
SHA5127ddc7ba68831ab08436f435c0f8a8c902d03e99930f616ddc555cef383ad08b381a7bf7de5679ebfb0346891f476d87e7f53c9004d7486396f8b60d1d9e2f01d
-
Filesize
2.7MB
MD5ab4a76fe1f36cf5ce5d1547dfe383ece
SHA1e3188ee69435080a13ce0f3906241c2fc28ed4bc
SHA25624f16c92dbbad3f48e03751ecfe00f859a2254c1afa225ce4a5f3c219d034e28
SHA5124b9685a8016460b3e2ab9801a2107124c4ad8c348fde2a33e7b8b2c754c4161f58bf3e4aa3ad2c6ec1c17f612333d3a200cb8333dd2a2e55e73ac3cb94c4fd0a
-
Filesize
805KB
MD5f25a9a6d3eca8e6692cecef26126e69f
SHA10e6ad4730bfdee1c7581e1b010f36f2051175f74
SHA256506fffc7af34ac751b894b94a617b3112bdec1cf8bbee0eb22e5b57c8adda928
SHA512595a3ead527a00adc6a0756e2a097eb47c7cc14357a79d705e6879aef9a654e58cb226641f5d8e1f57ba1d9c6c7313e976f2d0560d0ea69b0b1ac875bd0fd19c
-
Filesize
5.4MB
MD5aaea1153bba16e1163041d5c6df6f185
SHA1d104cf5ad15e0ee304d27a222b399029ffa7282f
SHA256b8b2a46b1398923534bdc833d8467fa6ddfabb720e712643f5fea81bae980b1d
SHA512bdcdc5cd803f80c51c655cefe5ea7616fc816bbce282dcce36a618c9e70625f03dce8e910f1ceab7c265a3ba11eaa44194e0d11e3d2ce1d44bad4f3771a58b2e
-
Filesize
2.2MB
MD5f99bc7a7aa500b09f4b5a87e95049e8b
SHA115a3951b43e66f210ed2690872b8d106f504caf0
SHA25650aaca326b179b38fadb91fcd3b172e0bb7106bded2ec8ad2cd6de7a7b5741d6
SHA5123b90ca79ec801f932b0263e33d2692e2d6da67941e7061edc400b60ed462edf364e47afe634b8f02833ab66411dec511b51e07ad7b9155e6e25f8b3d6cf6a814
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD5b25d9002e4142d1f0bc2d60a5e6f78c4
SHA1c558f5baef38923a9ef98381fff864526ccce417
SHA256bf999c5d2a43ad65aac86908990f3ebd3317734b36b834c3a9b82c3d77d0f706
SHA512e7bf5c0ce173d3c8c196e271edc6479da281f70410fcc15b28a4c359f6cce0082388df53e2bb92f680bd51f01bdf26817fb3e636ac4f09ceca9e2d5825837b3d
-
Filesize
40B
MD5772424160a740ab46f10d75ee3f72e87
SHA1ce1d08ca4145f6a14ce3727642af5a997f73d1e5
SHA25600ee43ab7fd127a5e0b86cb4db053f67544834eac165db5b54f4b1d406952b84
SHA512920600c6e67f96b735a40de5e0c4bc1c585f49dc7e92bb07295bc0fed6b1ec3814f5813690d169d574b7184a6cad67cbf97718c224b0cd95cf7df239ab536d88
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD5fb8b9550b9382461a395c719e680b056
SHA118988f01fdee829f35933fc5f79a75bdfc4f3a7d
SHA256801cc50ca51caedf1f55621990b2d05c802d39fad2fab4b43b1f7384e47b485d
SHA512eead31f78035279f7c4a1df1872a9329eeb91e4188c6a0a7f1806a9470b5ca9b5ede4ccd1d40d3f7cac25b498171bbc1aee39432c3797928d9f50325e6123db8
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD531a41c38a2d7954d64e176ebcc980014
SHA1fd2909b42e9681b0ef12cb57d8e54dff3279b28b
SHA256bfe54440ccd9ecb8476a5fcb430e30d32c7e5e786efb1f5833209055cf080561
SHA5127634379735eec9ea84def091f4d6e0c1abd1eff23df40f0fd7a6085777ca8f7f95a67b6e7f4c4184a925f61383e671e6708ce9879fe2f98e57266c7afff32fe3
-
Filesize
5KB
MD52e4727f640a43bd4287595990ebc9030
SHA1bfb055fa119936ba0e26489d9e5c29c89db687c4
SHA256beccab961bf071b337a94a431a026eac696fc185464a7274aaab68eea47324fa
SHA512d3db80d196e0a17cc3699ea44101f95c5076fa7c7cf3254d9eaae844fac8fb85270c423d1349b6d48e0b5f7b01dd4cb8e3a4b76bb05e93f9747eec57861f36fb
-
Filesize
2KB
MD562ef0b2d931dee49ed513961ece66048
SHA175ab8dd2d029abdc0701a541bf3076082b6e0c26
SHA2562363d110b62787968a21ae43497d60d50ad3e2a713303aa36834d810f996344a
SHA512ab8379f396349faf8b51cd6ef4cb31c2d16da749b9902654227175423872fa6d81447d28926892602644a35b30f8bcb9412ee90b0eea93108cf6eb1b8dfbea94
-
Filesize
16KB
MD59227547600324aab20df7a74adc26830
SHA14c8d2a474baf74a981b2a9068ee809337193d5eb
SHA256ad0eb464186218cb9e9c1230dcad03f6eadaf3ede6ea1188e6a32ea5af20f70b
SHA5123cae4c40c886f6ed7ecfd454760c82da78e35f46ec715a66acc91502c53a1a9b476555c3f773360b465090af89dad5936fc57614ccfe8be8f99e410c253491c2
-
Filesize
283KB
MD50fffd7fc7cb40feae5d0937719fe2345
SHA19a3e9f7870482bc133f16bc1ca6bb7e6eee1876d
SHA256996ec7f586579e2c137f8f5e517e57838272bc83f900d9d15d5fe909198af0c8
SHA51240ec9253b44f6961eb7b4f66f95a107e7157832e366fa21f9e399a17df9c1910f73874657c0496e7c7568bacd35169a5e58cac5770aad4dd1cfb7ab2361836e1
-
Filesize
263KB
MD574532f7909b985a6d95b32f3c2292004
SHA1cc599e2769caebbca31a690a87685722af8c16d5
SHA256cf03eb13424356957a4b6278709cbb26e010f761f11f03ba0f34ad1df6bb0e12
SHA5126cc956ae19de11f4d31bb2acdfee9fefada73f628257f39429489621084cb74ce118a0ec0d7c35a297433949ae2bf44100ea119e739b942aa91ed5ef3bcf4126
-
Filesize
131KB
MD5cc94c81f0697a2eb5239f6a2b87487b4
SHA16d7fd957ee08ee23415fe4e0602391382d126012
SHA25616934cbe8d123ebc10a719f2c9a8dbacc68f087ac4e54e8b44d79c1ed96fd394
SHA51259c92eb42dc87a0fe886d7f3c4837665f19fa8cc77e5013613575f4f47a87fbad5145e5ce9ffd6ae8340742a9693afe16d767e4e2888ad4f86337906bfed17a6
-
Filesize
263KB
MD5377fa8a3e672547aa0f0084f3ec1419e
SHA1e34dc2fe75085ec1b44cecce0b9978f3e3b2c9be
SHA256941b9084b2963fddbf6ffb81f21258e5462ac54158d8ed625dd9ef5329ade61f
SHA512a714f3a70ca16d762ce9edc77c5629013a34a1efab2c31ef4e0a0b816aa4c09f795f4bb6ea5267f45884f298e43ea6a4b49577b4d610faf28821c22f75b0b272
-
Filesize
91KB
MD5e453561d72fd7cd8e8f863b9c89f3bc3
SHA19f24c2152c2487ee69fede893776286e01414382
SHA256bf74bbae1af946e3676d4537bea6fdbe9ae964a0e37b3750a5298baac25090ad
SHA512504ebaefcc4bd795258b3d691c73f17d5224637cfb38e099cc77ccc7d652524b6bf6b433f74372786332d6eb42183c491cc3bcb73e4e0b85f895aea37206308e
-
Filesize
88KB
MD5be6643c7b7d1dd5bd4e53fb98ff1b807
SHA10486b0281b67b231076ca2072ef30a054c3f842c
SHA256d4e560698b98c3481976dd112ceb04c29965f20ded069600a17f9b04bc963c60
SHA51286f15e220eb14d546d0655861de75ad6213b3aa250315b2b056bd4a5b6a0037b7231838188aa25ad3819ff175cbdbe9c388f5e28a2af9d66843926906268e6d9
-
Filesize
7KB
MD5b295e7949acded771d123233455da8bd
SHA1a61f757d7e2a0c0a417b05737b4bd596ed32bee9
SHA256cba2e871fb39a9b846959b33d77bb95fef7406eadf12c9a01dddeffc2735dde5
SHA512177e49e696bfe503573f47d25028ddde9834a3a04740bebd3a5e55e7caa55059c6bad1475e792bfe5eb2c704e38674c6086a780d1c810e9b973673abc91dd047
-
Filesize
8KB
MD5f62cddf427b0cd311d77c14157ec6d99
SHA118e0921c3a080cd7b68f53eef716665c07295ccf
SHA2569d0437224a0c54241374810e240ea87ccf5c68edf78f4b1460d849034433fb15
SHA512009ddabfb7cb96a1f4ed80a02afd135643cbb6e1e126e7220d00f4cf4dfb14d951b5c5ff44ac3890b584c29fc058d4b62fc3eba484eb53f0c94d2a31e82d2946
-
Filesize
12KB
MD54f94ab80dd733ee4424731771726548b
SHA17edde4b59a274eaae8e8316c2505ea014914f38d
SHA25654cfe2e0a0af2fab1f5711521350abd0ba6f80b33d8ac0db8f2a7bd31deac5d1
SHA51210b4f58df99a2a865f246be9ac2d0186dc545b298ca1e93537d98cdd216d77cf00cd69522293b33bfd0e073c4b24e126dd33fc014aeb2db689216c97c4bfdd3f
-
Filesize
588KB
MD5a7489ab6143696ef0a03cd33560f0635
SHA1b83f29a9aedc61067d7ea3cfc72409471177645b
SHA256325cfcaf2565a9682b3426bbb8ebd9998b4825334fec8388bf681db0dd91726f
SHA51218c5909b365e4c6a044f8dc1fdce59601d33e1ed708922a553fbb603907b194ffda7880ade42e01786924c309cef5b743573cb30e6250647d55d5f1adfd7d9d2
-
Filesize
1.7MB
MD5d2ef7674538abf55426b7578f1aae8b4
SHA1cd15954ea5540a1f021305083c8db98219e37c7c
SHA2562e847144494fe3818197d571cc3093e6fdcba88599e1edbd58108cc832edb286
SHA5122ca2fb530efdb9274fbf6294f05e9ba599db46c04fcd7dae1edadd0f0ba9447ab3c0ebc0599af9fc2678e9f7b3b47ea32a22713b37a821cfeaf0cf117f5e7a99
-
Filesize
659KB
MD51c22c0e2ecb4d8e162eaca4b2535e260
SHA1d292b046d4f504facbbcd550480e6abd22b4c218
SHA256e5dcea809e078d137e2cb69227db43066980347ebc7f069c94c0555965b90afe
SHA512bb47f57be3c31894691a0decbb7daad0a953f82c1cb1cf0fe39c9178f42b1b363c0f60f0729ce9cf305e8367967c2cbdddd7d52854028d65d3b1a1487b496930
-
Filesize
1.2MB
MD50760b2cacbc9ced33a76f2299c35d9fa
SHA119efd3858d28e6f6d3241362e285254a9079f302
SHA256cde2d3ccd21b5591976e15182e1b750a7825b19f4d93d0ffbb5dcf935a73d9d1
SHA512d464da967bdfdb494fd02f8eedb4afd8df6c79d48efe3f52875c797516a53661ebc3f137488054eb2e3726fc6ea6357384cbc034c05b892d0c275904b5bae64f
-
Filesize
578KB
MD5d27ea4ff5df754e4fd37d99a0c7e349a
SHA1e803866079d1f2f3ed9e91eaad5332060797e2a1
SHA25654b1945844861a0dd6b3d62f0113443508d23198d9a0552f1b9776e00fd56583
SHA512bd31c9bb82bdd19c45838e7525fdd2f5826d98400211c8a8c462162364d45ace5c4e49743064289fea5af886869391868934d9ba15efacbd3f4286d890c7eb71
-
Filesize
940KB
MD5f65a4c79e235e50ee49a77800163f021
SHA1315d166137875132d96d050d578774b783b1e6ff
SHA2564afe4aefa7696fbd5d96c230494f0ade1de234944d84072e608661b20b572632
SHA512f9c946b3ee66b59d05b20b2809d8616a5e09ea685dda8da7c8e4d3a3830c74217120237157dda01ed4fb9460e63cf817904045d60c30edd4dec2d098b031409d
-
Filesize
671KB
MD569b1f06656f3e8f020be9d944072840d
SHA104f6c79a958595888179cbf813c7b7d4b682dff8
SHA256954392d35129917fc016b458def790b0c7e9de33a485be5b6f68731de4460f5f
SHA512199638278cdf1532589ee37fb070e8d4558fa95b8f2c45e3b11c8379fd46cc2116e60673d4396f605886ad0cfcebe473e34be1d7c9727c3168a495ce43c2a9a7
-
Filesize
1.4MB
MD532c28906461524b65211ed773dafd792
SHA1d4cd7224c9b703d8838e2999a3c155c0202c353f
SHA256461b48331ea2d3f5b006534219496bc63f9b54c77a0bd94f633cc7cf4008ff9c
SHA512aa5727026e43ea8166b10cfa7dd75a72b4294b9f852e142e285a8dd175a270582711a612a6c92b398708c220277c6f7c5d4edd52f8df9146f20253b0db13a2a0
-
Filesize
1.8MB
MD5c460c5ec651295bccb52255b0232c9ef
SHA10d1bc635961c369c0c6fbcf7dc18506591c28a90
SHA256dc8efcf685836cd009be4ecc8c0b2d69cc251452a9bf620e45c85d27357ba7ae
SHA51291ff501f8b07ce992b606221eb5de4532076675c2d10eb27449ab19993e3fc3a095a2f66c462202ba9268d32de2bf0acdf8318a88e63bfb7260e58df626706d3
-
Filesize
1.4MB
MD53e55be614b1de652374e0bcf48cc9ac8
SHA1e564f0a1f9e782999f2792f44db2f075e4117451
SHA2560ccd63c0b1606b224b21d20523129c93b17060d0ff60cb9e6c1af58755c7514c
SHA5129efca6a30e9b0f5ec8c7cc62950f8ed6dabe54262a59c3c5c8d8f5381e4de185299273b56e668caba0c7ec1477a7b47e7126e1e45e51c4577bc0c3ebd56bc17b
-
Filesize
885KB
MD5ba08ad503b79ce8c2ef0c77f495dcd17
SHA11b3d721039e4ad8ffc704facf30fbe54853ba3a3
SHA25671ade5c6285f5bf24d591cc77bad9326cb76976a953cb6a123526a6c1c386bb3
SHA5127fb1b7677b62c2c0b6410bb3b9734b9b7617ee43af9980d79ecad803f1d08f2618b5592deeda5887047895e73a1ccfdf170aa91f9c3f6938f76ea877f415b663
-
Filesize
2.0MB
MD5fa0ef11d319420af241fb1a733815e2d
SHA1180694b9bf91e48b2f7e5a8572da0df100194bf9
SHA256558d48aef780fee0ab9ed99bb7b7c979ffbead7bc5ac3e14da6c552d2c07c809
SHA51281a128f55632777d59ec686f8bcc3dc6e244eff724f8e6f14d238fc4c5b7b2a0bff0ea29e73f110500d50fd32382ec76805720c431b015830907b88b75e8c82b
-
Filesize
661KB
MD542e7c23d4cba8d98e520377b830920a4
SHA133baf1f8e9f40dec36d481bb4cd123b88d9f25b7
SHA25653e2756068f39eb9b2f985ed39249a1b38440adfdb3435d14542e7d852d0349d
SHA51207dfbaedd6f9928b0ef57d2894850d818846541f5b06bad1c8a9660debd78f45004d7f7293a73e34b55b2a0915be5fe3442223aba7a0cbae32f2941fb4413486
-
Filesize
712KB
MD5460971ac37554f1259a5b131b7b47b47
SHA10338031719b9244edba0058652ef0d7dcc6f7f04
SHA256dba5c76b872c0a1cd8d8f09eef2a65459aa2062952b7d96417c8c0867ad45d95
SHA51279c8081b01a996d8fa1e426c3d1fd3390d1ebc3c025849855ebe99f1ff03369da7c64a52ef0e98beed90fb580a2e9e9ae26a24ef877fb278e5285d212cf0555d
-
Filesize
584KB
MD5490f211f6c4fc9a6c3776ea5c61e024c
SHA135e41d6ee0ff073778f695cf1c22434be568c790
SHA256714af73d85c47eb7c25885e7bc0d41f19d0ce0a51d7193fe58327c0cb6ef15c8
SHA512a9781e1402fcebf924771800d8df8756fc60392b0693193224e5c7af1c099e69a319292fd31578b6c75950b1b030f9c3fc15a3ef20219544ec9e84459d9971ec
-
Filesize
1.3MB
MD5bbd292ef90b2d6ef7a92a369673b82b9
SHA16962ca306843013a00988730ba6f94dbebb8679e
SHA256457c4730340a00d6d28d5885b775c312fbcedb553b1dedd9aa94b00f283d837f
SHA512ca04986e4343e329014c6a0671c4f046b4ee1b182d95023108480b24365ecef90e225a54f5374e33a5bd0dc53698a038a585fbee3ce22677791445e37ad99b50
-
Filesize
772KB
MD5296a13f315d332bf99482f6c1d8ec0f8
SHA137b20e33cce5c51031f697d333ed178f7ed7e992
SHA2561d53031adc754d9eac0dace6a8fe4d4ad2531d3de3a7b0e273e0f171e389dd90
SHA5128e74e4da54a3e0fdba6911703ee54026574ecf3ee3b1a3b1130ed18d76a1d1fe2e4983d6316a77a10e3a472eb9fade3df6a9119220f050c8548a0070fe21ac55
-
Filesize
2.1MB
MD565268973729ffa1b1a70f513b4effa4a
SHA1d5b5501b68810fb3d4989136286f3c2616f0db3c
SHA256591b585671520fbceabbeb4c205a3f8fbc7cea2195ae1b0e1165a9cda917f009
SHA512a904b93beb07df188fad83f62d0d110e70dae7f17d5a546fc75ce5344746c18cf994189653c4b686c6bbe74d6b11672b9bd0e8a94e26079d45dc36101dc277d6
-
Filesize
40B
MD5257036a0fb3d2768f2801e5d32b9ce30
SHA10634d123cc54fe889f179f59136e47357ff7f7d3
SHA256fe6257986f35787b1ef9628e36a811d3484fff46899b61381086da82e363c462
SHA512381a451ab3b3c97eb3546554811f0784e5341a7f668b9ceb41dc077d34ebd26fbb29b2e0ab21b2a52b8637b3998943c14ce60380b8525378d37ccdceb0f0e5a1
-
Filesize
1.3MB
MD5f18a26b42f6107c1c99cdfd2c14df527
SHA144e601fd12c0625d7987fc866eaee4228d447105
SHA2560c57651a8d7f3d0119c783064a2de925065544af31e5db27c6af8a9b25221337
SHA512b841e39593c57d47d3ea447eadd41a43417df864b7340557fc68eaa5f7a4e1333a46e1525522fc79dcbab4b6cfd51924abf6fc2d4ac9b06bf5395e26be08a2e2
-
Filesize
877KB
MD50ba9b3aa891bdbd5e4d49422dbf6325f
SHA117ed3c8f7319e0b2a69c9540d11caa44dd13c76a
SHA256a6def196eefe1914bf05c7bf73a69208e0d5d92874545af66bb0d20f883ca422
SHA51244b1b61e49cc147f9acece922d4d299f98534af25d207f2e7857347a0293eab00d2dd7944444ca12f9632e05e5624a8141f4404ad0751d452fd81f1d7081cbc7
-
Filesize
635KB
MD5221fb3712cf47840a4a394a8a8fef648
SHA100c0bdb4c02723291a5d8b416125e9188fb01f5f
SHA256c19a725a5801e3e6f75c0f9a5c2b28ecd38b10c6c4322f7039a9d79fbd69fa10
SHA51280fd4e2f3d5adfc16de684f576716729ea35c3a149437de29f610c8f273fadeafe97dde01888a11697f4fda67c71e671a8d513184e0f9a1f165b4494b8757968