Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 18:45
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe
-
Size
5.5MB
-
MD5
0f69528ba287a5d2f6d6d01eac445acb
-
SHA1
d4d0622a5c02e9436304a96b603721c8776c3717
-
SHA256
deb505084b15e8b385d743de0535b3fffc452f5e3f50edcf824056181629212e
-
SHA512
1ebfcdb65d74887a4b34c0f5c784c43f4bbea76d8fe119a38483024b692ae636218a5916bfb0e4e30e11ee8147dd956e8414c93b77e0be38865c993a16357e33
-
SSDEEP
98304:DAI5pAdVJn9tbnR1VgBVmoU7dG1yfpVBlH:DAsCh7XYlUoiPBx
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 2116 alg.exe 952 DiagnosticsHub.StandardCollector.Service.exe 5112 fxssvc.exe 3232 elevation_service.exe 1732 elevation_service.exe 4008 maintenanceservice.exe 4636 msdtc.exe 1740 OSE.EXE 1656 PerceptionSimulationService.exe 8 perfhost.exe 908 locator.exe 1844 SensorDataService.exe 4148 snmptrap.exe 4776 spectrum.exe 3708 ssh-agent.exe 4548 TieringEngineService.exe 3440 AgentService.exe 4092 vds.exe 4824 vssvc.exe 5216 wbengine.exe 5308 WmiApSrv.exe 5428 SearchIndexer.exe 5616 chrmstp.exe 5724 chrmstp.exe 5832 chrmstp.exe 5964 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\821443e7d590e271.bin alg.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaws.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{F4DF7669-184D-4D67-991D-8B1550DDF396}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{F4DF7669-184D-4D67-991D-8B1550DDF396}\chrome_installer.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095ab0b42e6b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133619139429370795" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096cdc940e6b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090985240e6b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007474b341e6b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047e84140e6b5da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096cdc940e6b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082845e40e6b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d080bb40e6b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003cda7741e6b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 2620 chrome.exe 2620 chrome.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 4064 chrome.exe 4064 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2308 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe Token: SeTakeOwnershipPrivilege 1428 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe Token: SeAuditPrivilege 5112 fxssvc.exe Token: SeShutdownPrivilege 2620 chrome.exe Token: SeCreatePagefilePrivilege 2620 chrome.exe Token: SeShutdownPrivilege 2620 chrome.exe Token: SeCreatePagefilePrivilege 2620 chrome.exe Token: SeRestorePrivilege 4548 TieringEngineService.exe Token: SeManageVolumePrivilege 4548 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3440 AgentService.exe Token: SeShutdownPrivilege 2620 chrome.exe Token: SeCreatePagefilePrivilege 2620 chrome.exe Token: SeBackupPrivilege 4824 vssvc.exe Token: SeRestorePrivilege 4824 vssvc.exe Token: SeAuditPrivilege 4824 vssvc.exe Token: SeBackupPrivilege 5216 wbengine.exe Token: SeRestorePrivilege 5216 wbengine.exe Token: SeSecurityPrivilege 5216 wbengine.exe Token: SeShutdownPrivilege 2620 chrome.exe Token: SeCreatePagefilePrivilege 2620 chrome.exe Token: 33 5428 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5428 SearchIndexer.exe Token: SeShutdownPrivilege 2620 chrome.exe Token: SeCreatePagefilePrivilege 2620 chrome.exe Token: SeShutdownPrivilege 2620 chrome.exe Token: SeCreatePagefilePrivilege 2620 chrome.exe Token: SeShutdownPrivilege 2620 chrome.exe Token: SeCreatePagefilePrivilege 2620 chrome.exe Token: SeShutdownPrivilege 2620 chrome.exe Token: SeCreatePagefilePrivilege 2620 chrome.exe Token: SeShutdownPrivilege 2620 chrome.exe Token: SeCreatePagefilePrivilege 2620 chrome.exe Token: SeShutdownPrivilege 2620 chrome.exe Token: SeCreatePagefilePrivilege 2620 chrome.exe Token: SeShutdownPrivilege 2620 chrome.exe Token: SeCreatePagefilePrivilege 2620 chrome.exe Token: SeShutdownPrivilege 2620 chrome.exe Token: SeCreatePagefilePrivilege 2620 chrome.exe Token: SeShutdownPrivilege 2620 chrome.exe Token: SeCreatePagefilePrivilege 2620 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 5832 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2308 wrote to memory of 1428 2308 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 84 PID 2308 wrote to memory of 1428 2308 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 84 PID 2308 wrote to memory of 2620 2308 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 85 PID 2308 wrote to memory of 2620 2308 2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe 85 PID 2620 wrote to memory of 5004 2620 chrome.exe 86 PID 2620 wrote to memory of 5004 2620 chrome.exe 86 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 4856 2620 chrome.exe 99 PID 2620 wrote to memory of 3604 2620 chrome.exe 100 PID 2620 wrote to memory of 3604 2620 chrome.exe 100 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 PID 2620 wrote to memory of 4904 2620 chrome.exe 101 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-03_0f69528ba287a5d2f6d6d01eac445acb_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2a0,0x2d8,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae516ab58,0x7ffae516ab68,0x7ffae516ab783⤵PID:5004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1920,i,1254385562153859775,6098803559322996659,131072 /prefetch:23⤵PID:4856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1920,i,1254385562153859775,6098803559322996659,131072 /prefetch:83⤵PID:3604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2112 --field-trial-handle=1920,i,1254385562153859775,6098803559322996659,131072 /prefetch:83⤵PID:4904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1920,i,1254385562153859775,6098803559322996659,131072 /prefetch:13⤵PID:1348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1920,i,1254385562153859775,6098803559322996659,131072 /prefetch:13⤵PID:428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4328 --field-trial-handle=1920,i,1254385562153859775,6098803559322996659,131072 /prefetch:13⤵PID:1644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3924 --field-trial-handle=1920,i,1254385562153859775,6098803559322996659,131072 /prefetch:83⤵PID:4008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4216 --field-trial-handle=1920,i,1254385562153859775,6098803559322996659,131072 /prefetch:83⤵PID:1944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1920,i,1254385562153859775,6098803559322996659,131072 /prefetch:83⤵PID:4756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4512 --field-trial-handle=1920,i,1254385562153859775,6098803559322996659,131072 /prefetch:83⤵PID:1944
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5616 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5724
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5832 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5964
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4152 --field-trial-handle=1920,i,1254385562153859775,6098803559322996659,131072 /prefetch:83⤵PID:6108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1920,i,1254385562153859775,6098803559322996659,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4064
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2116
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:952
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:5008
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3232
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1732
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4008
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4636
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1740
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1656
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:8
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:908
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1844
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4148
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4776
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1584
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4548
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4092
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4824
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5216
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5308
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5428 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:6060
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5116
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD593c5967b48103e712666d87ed8b3d115
SHA169e1b8a446f1371c0eea5dab361855225e820fa6
SHA25661d767447608c70da7cd8daba781d2bcdcbb9513883865eb44339f3e7f3d8538
SHA5128ab3905a9767b5f06705303aacf4b02220a94cebc563b37d306aaf15347581c563f6613cf8e70c241ae3c5397ff8e652b80640aab9f446e973b6bc9ae41b90d2
-
Filesize
1.7MB
MD5aa64d81d8fcffa372c12894d0a7071f0
SHA14b5222e66057ac7449d461d59d5fc1b8973350ff
SHA256cab60185e0a7eb591b639e199708dc1a60701f8e72e71344f9061509b014c5ce
SHA512a0ab807ab57e2e5cb598aae6a569ec68cbf98e7a5934fa493b52340b3a69a058c151b6741a6f70353568f79e16b137991c62a1651ab2057bc81e9fc94acb7c83
-
Filesize
2.0MB
MD54d4c281b3bf535452e93df6a76abb078
SHA1a099d677e078ff338eeb014f8dc64aff1524304a
SHA256751c763428abd6884d782a25053ab973d4b996ed9916c7daf0dda8b5134d8bfc
SHA512e72e63a1211dbaf5e75b0082c287a5f816ebc4072fc064fd611f521bb82b2dbb8c4a360db1682071c87649daf27d05ec5010d87337acd77c08075759a5fc731b
-
Filesize
1.5MB
MD51b316163ec1c9725f5dd23ca3fbb862d
SHA19cef5e13a3bd0fe124ac9c8673504d2a6f724c1e
SHA25621e38840bbbb4a6a64117c34e74b6c753633c00121fcb2928befb4a9a96c21a3
SHA51286513c9102e52eec0be92a70b2e3e24f6a267ccf5fa11c8cee2368125d38ebc837280cc3942574095acb36d64c22382af0dad4517b7172a4fac2825bc7ab9622
-
Filesize
1.2MB
MD544e70628fe50bf6a9c9e3fe1438ed665
SHA1d6ab82965df9967d6c816aedee4b06bd48417aec
SHA256c42ebd52c27c054c3e56c26fc57e34b5420a333420f313056b5c501ad2210db5
SHA51241a0cfe9ff319ef7d9635058492efcb215d50f250f8efaf81790e6d9e10445239841534cffdf82c043edbc4b014d4359f76dda8ddf8ea2c1a73ab0c1060dfa35
-
Filesize
1.4MB
MD5a54693c7ac02fd8430057b420f944b6b
SHA1ec08f1805cd63358960361487e0b17b3f4ba53af
SHA256fc6e54a2344eba674021ea8b17ba6de1564f1ce31c8b1f6be1d5776394a9c328
SHA5129beb442ee720de54c70390926b494a994f4fd5d5b269cdb69c1954aff1087aed81bdd8ed8abf51c9dd4f3f01c2e2cc7da8323967cf3bc40df9f01280b825f7a4
-
Filesize
1.7MB
MD570df4120f8808644946d17330aff12eb
SHA115e1a2695a7fb4a8602cad67e32d6677b4934f0a
SHA256127df5a219fbc812ea492b1360ed9534a82d952ac5efdc6a2bfd15d2b9bb5b2a
SHA512d1c3a1f87f7d66cd03d1f11c9accf74336b05e22aab749eefe9c9f606d067c4ffd688860e65ea953a382a7ce83452d2c4c379db14dbb509b53cf3246a5bdaeee
-
Filesize
4.6MB
MD5606efa4a53a7b253f6173e19c26bb645
SHA1ca969201d3cedd5113653a75f4d6650fe00fdab1
SHA256377eebc0b101dc47def278716aaaa0963740c23de6616c0981b3f9af88da16f2
SHA5127b96659786b489a9ec9c62d80849da2a6fd31be7672df11f305abd4724d51033b9bfece242d68be72ad62e49ec4554ab21ff22cb5b817ec9077cd687f0ccbdd8
-
Filesize
1.8MB
MD5f353ad26e920aa9fc18052aa0405e3d9
SHA18914c2436cc25f0cc7ca48b1939281203089261c
SHA2562deda3dbc9efd42591884cd7f9782d18a16e1edfc4a59488ded2dc96e548154b
SHA5128db56406cdd7ab5bd88b316d71576682cf3a6d1bc26f78aa79407bbc34d25d6f713e005885c88a7600308808d360319398d00b105555cd4143bc79f54ba3a964
-
Filesize
24.0MB
MD5cab4553c7fa0e3d8864eb6b3267f18f6
SHA1dd262ca0cc221491d43f373cee03771a8372b884
SHA2566fb5812acc2054d5faccfa939e83bed82bc89f481742555a90b0af60a5b6915e
SHA5121f34174061a084b07ac2a243ff744339a7b8ad795e298a9df37002e4c9582c3fe2d8e7b54f3d16eb56520929b25790ea28f499a36b02ebc91c622c01c3f9784a
-
Filesize
2.7MB
MD590a95e2c9cf57dac18062c4970a1284d
SHA124f5bb5459ae9d6dd500b94111c347706078ca1a
SHA256753d4127b3ac03980572dfcc9a641f44de1a578eff3ab064c454ff5c41b8f421
SHA512f6d614cbb55641d6f41e7c269a87eb6184e76c53aa8047dba1cf5c701b79d7694a31775c2743b06e3a24a001eb89878bda64ce4ededb7aa9b33b0172ffffd86f
-
Filesize
1.1MB
MD5493805bcb7b760fd7782a73d16e2b787
SHA11411a0f4581ba29a4d62901e770b05e7d2389767
SHA256ff40d6ffbecf402b71640501a4f370bdfc8b7285dc0da2f8f4d29732cdf6d3ec
SHA512d9b2097d473e62279324f81bfdce11e3e6621ac114cf034e0655faa8f75c8e2b97ea6e75ec1be80333b4297e3d763f14c75f2fc325c9219141daeb4224ab4c50
-
Filesize
1.7MB
MD50f618e563e8f679d20d218921a3f5464
SHA101aecb0e080bf24a336bc1c38a35b3345f3e225c
SHA25605821c8f3df180fa5178395702ea36b6339089d684750a262b1b774a6e59834a
SHA512f791bcb29506c6cf0e0d35ca5d0327df53641cbae07ede34a1dfe883a0d4ff480880d523003f08bdc05d45d72ea3d2fc115e05ae09544edf41edb8f003c359c2
-
Filesize
1.5MB
MD537093a47a26dc3addcd86b1cd4b69d5a
SHA15e53a6c465e80549a0e1dbba5f3fb52c5506bdea
SHA256fe5329bf01d23d23b36e7758eed984348c9934a9253b445754ae389d1179f494
SHA5121a01919b27d269abe96b73455bf0f59f5a595bcf38fcf887387489609e56de05f07599b55a0db71faed64012e1e212575c8386d8acc8e0b6225506f8d8866f34
-
Filesize
5.4MB
MD5e9b7298a8cf1519c75b179c5b87f8c18
SHA1a88e98b950014fb7550dbfd7ae3bf8287b182f19
SHA2567aa15e9102b0f365819f42dc3238373e04b561ba4a82f345c55d6096d2641bf1
SHA5120782f53f2f9760877ff15a2d4241e8fdef438554fa0b4d64ec0fb5d23586cf2cb192f6d387d4e2d9e300d421e9ec0a2840147cfcfca673807d0511b17d545ca6
-
Filesize
2.0MB
MD51fbf615ab0dc450b66156fa9438aa28c
SHA1eb59db3ca2fdbc142b466797ebec3ede8e4fc0ff
SHA2561416bcc9db9ca0d566a8fa82d5c49584ed5a873f9d2d5270f397010faf5bbf16
SHA5126e7971b94d7a2ce632dace423b3fd104ddc9dd2e13f87bf4ffb14e47610020b1e97981fa5cf6933a0aeeaa9878fe90f177e4bddd37b3f5ba1dce2955d0e3404b
-
Filesize
2.2MB
MD51d0873d36d3e7b9bb08c281d2cb55a4f
SHA1aaf5bdc545d3a336ae34a8fe47f8b6e26a285140
SHA25684ed1c001a0788ac8170d78f8488c2a0b3e8894acb9ea7b5d84bdd7ae2c684f5
SHA512d9a8e28e90a8b629feffcf1611e5497ed5dd044b5614cad2f730bd66bb596f5793dc96ed9d98f6b917d670222e6e18c5f5044f9f34ee49aa97523415397dcb4d
-
Filesize
1.5MB
MD5aaae72f1648d23eeeb143c0562de7913
SHA1c080cfeb4b73d1347b9cbf450fd2dd0cfc05272a
SHA256076842dc0f9aff50a2311512106c131da48b82a9829fe4a5b7155545e0e0cb72
SHA5128238ba596239dfb4ba4b9eefb183b402292b70c41943e27286f0afc5d8cbd43527ce66343301085f673816ea4c42e5d2b026580b0525a21f4de906376276f42c
-
Filesize
1.6MB
MD59f6741739d72171d459457d56b63c1a8
SHA11299a63a7fe5f55082c569a61dbebda625c3b46f
SHA256d937332a4c83587ae2be20f4360f172be994b4fff0ebb39e5427944685401fc9
SHA51212db0793375587472ac84686ad6f9c70a39e20e60e51f3940a205e0c0f5101dc7caa56d465027b2d66f7676bf1c33a5227147ab672f547f5e35ddd732097ec5e
-
Filesize
40B
MD5ecca8993047150870094c763386eb4e0
SHA1e77376a1868359b6270fe9924477d645bd5d7d1d
SHA256bc2822a5efb199dcc655254b162e8e690280697a639ba9b6901133798470dafc
SHA51228eee493fd526ef4227665583b28d600954d71babf027c2aa6bc8d72684d4ebe8b84436dd75a7fe29b6d17c8fd91f27a08e4d9deb53e8460a518bd7c09ca297c
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD5fd18c7a02fdf08cb294773b0737cd18c
SHA1a0a407b3aa122886a5e67e786066992cd92424d2
SHA256261a6e74fd1d9acfed6c7213047f054f864667c81cb99e6200a8182c937abd39
SHA5120dac4fe39f37198ce81784347eba0c521ff51096d1768edbe257f6804d37f585b57836f3975777b42d28e12b61763cb9ef336aaae4967856f24e7f56d1a094dc
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5aedb3076ba19766dbf04b917ed0ccc72
SHA1a1296e4fecdf90229d782672a2e484591674d90e
SHA256c830090e11e648cf0726777a5f5131fa187c7794577792641092205a8d8a7bdf
SHA5125d5bdf06655e5f35b9cf4616405338187660815288f82c9f7e46c6b052cd37495a314b455505fed12249873ddf6da58216f95156c64716c05c413d4a2a8f60ff
-
Filesize
5KB
MD5cf8bcffaeb3d5444faf5ba5a1f0b077e
SHA14b4a0294fe3bb1c12f713960fe5eab2dc1eed10e
SHA2569e6fd860b4f3745fb549db5408d322aded74159898dd64f0b8e814d4d0adde95
SHA5127bafc19886a1fbe8e0133ec7d79d2aa4ed3ff20846846061f7e921edd17de5525446fe7dc30bfcae12391ecfc7d3f8e3ae1c08927e98a5940ee7cdd714b134ee
-
Filesize
2KB
MD517452b252e572ce0e1d15bd52b3d96dd
SHA176e11b2ee8ae5cfbac60be4c4f1609879da3586f
SHA256078b9af3cc02d4ce24f484c105def6fa6ab3b239269d39b503bd592cd8721ca2
SHA51223c427290207f4496388e375917532a84121cd606cf36e804d2c30439167068e4eb43930ed32d406fa86cca6cd7f38d3c4f2f3f0bfaa9e157c6cec6e1e8546cd
-
Filesize
16KB
MD5502fa2e4dd9f788c958541de62179ff3
SHA12e25f8b55265c3f524901941706e6336e2307407
SHA256735296b7d7bd72da48e6ae26adeb1700652e85745d35ade62be862d7eed7e6b6
SHA512e8821c930d92412e47d30afb2397a25fcb455be4061e49e48a2016f122623733c9efba88c8a14009724649c064b07402313bd416a16365427ce94d3d076ad859
-
Filesize
260KB
MD569aa4e419987677053bc6e55f6bc44dd
SHA1b6a25e0017e3ffed8a26a0a00b20ae415f00beb7
SHA2563a35732fd0dd782a72b949d517a9244bf60ce067c4e986a4675171a62a151ed7
SHA5120a1d1515eab1fcf711539780235e65ab7f169a1e2f87baf296f1a2793c88db9c723186ee93eef6c40deec15c508a16a96662b213fc6e6a54af340a3f9397405f
-
Filesize
7KB
MD58df3fe5df7fc2f697aa4adf2a8f2912f
SHA1b72fd926f793a56b6020080544996f16dbe9bbbd
SHA2566fb7daa158651b0a4ffa00080d8fc6a61d6225d8f3cbff9d287d14ca9b185d9c
SHA51201e16c4213a76e5bbd91adc78d608b24ed7cbbd39c69f21f86dab84b47d8c1d6421b21f545a663c54d53cfe9a682291f9c94fc6d511bbef37bb8a677acbaecf1
-
Filesize
9KB
MD564c7793c8abb6c2090332454964f0ca7
SHA13a9c4c4e2052bf35e15a73cf0037cf3dc47795a4
SHA256f9c934279a769fdfffedb63c696fb256d302e2b7682b6b08359ecce3cd557ae8
SHA512504b4dbb2781dba4f9bdcf9969673656c2e207e09ce3a772ae000854de6173f329320ed8cd9b30298dc064b2459b3c9b55f21e6ec083a969015b7ca4f003c043
-
Filesize
12KB
MD52c25221f4a3af56a9f5c09e6e0f88758
SHA11699a018cd41f6849d124d713275d6173bf7b08f
SHA256baeb1454314ee78a9eb953b774e8690394995c6254ff328d40fef44ba20799e0
SHA5126163a9f0621c2d154ce988a9d6305840b1bfa39411468e0520668b35f40f285cf9f66967c1f3189e7cc1d8b9d32117b5f1a75783c515dafd88a890c808ea8c35
-
Filesize
1.4MB
MD58a5b38a17515f784c882831ee8514607
SHA13813a66c46becc6dbf170661d23830f362b1a401
SHA2565ddb8ea5b39063871080094156376f2fb782b330d07d31dfa83d1c3eeff92bc1
SHA512dd1b95756cfc6ebdc624de80e37d24406469eddc38426cc9ea06020d6348961add4086b115ea166ac1d3021529b2b5ff0c70d5609a09fffbc80e5fd915b7347e
-
Filesize
1.7MB
MD582f7db4dd4814dc9a2e5897d8234783e
SHA14ee770aa790b2c62d2a771998c1fba437c0bab0e
SHA256bff67a9168b05c31158f7af57ecb8167bd6e6d332510a7769f4c8ffccd4c54c7
SHA5120e009953f253af791ee2d648df7ec640102d808780421b0db1bdd0e2d046d8e606a9a6cd7ac28e81faa786b7da95abb61094e15fbc53d39d5adf743100bfdbc7
-
Filesize
1.5MB
MD50b1fcd4780898bb1ec55fefa8db790ae
SHA17af47b31d6b1884b8ce6dd754ea6aa179f0dda4f
SHA256d0398c4a9128e1e759f7bd9947169e028119fd1ddec28c8f65f3299e70b591fd
SHA512ac0488f8072da6fbe0aa1468f75db338cc5aa42975b7346b1c31fd5efc276bf83180defd61c47f953432244b2cfd75f9504688aeb3ca1771484ed3db60d2f895
-
Filesize
1.2MB
MD58b9e0b24d57a58a4f20beee543298b0c
SHA11821a210659c1e79513c2484fff32da5e5f59d5f
SHA256c6fc99fbb50d8082ab882c27f14ab8fda522c1b1ab47b7a35b6c8975d0d81671
SHA51207cd2f6fe9ea28577eeb5a3d81c7eff3f1577834004783571c0a2c6b05a10a9694d92130b58f9c0e578c3bda6c51f30f09ee55976615ea112bb51586009318e6
-
Filesize
1.4MB
MD569e6d589d197015ecf90af99b5d8bbc8
SHA1803fc9cf3a6fc3595de7ad3e544691db7ac67dc1
SHA2561325048137c7cd53c29a1d2a656358cb66ec4ec0917c643482c5e830e215acde
SHA512d9025febbe6f8588c5e70661b63c8c6395a82de1630fb552f723e431f9a280292835281856838ffd3659bad31bc6b1c23eac6eb1b21093ba79c9a74549b05e5f
-
Filesize
1.8MB
MD5c4935720d8bac5cb6b47a1701a82602f
SHA12944f02f937e7e5e919db1bfbe7bf91502838fc5
SHA2564363fc80210dd7e328fa4aaafa53c945b1152a1ab85f014e51907d682a9227ec
SHA51299ea98b407e4a0b819c60b6dfab6f70db926cfc759c487994a3b0b8d6881d9d0d38e672fab97c12516be20d8a72fc2b102005f5b87ae1b20e580129713fec3ad
-
Filesize
1.5MB
MD516bb2109ebae5b5f01ccd456248d8157
SHA1aee309275d232a7c5a4dd95c2a69ae753337baa3
SHA256e9b1cc557e6316be73d253f94a0a19e09b35dc1fec0f85caf181547744c45b31
SHA5123f7b3e4f472a490410acd1d254830acc22aabe70176d2ba5d7421765af444f6b117d59689fc33255bdcad2c40eec6289bb5c04e811733b273afcd68183deb677
-
Filesize
1.4MB
MD5efdbfd796df5f0e1f6f03678bea11ae1
SHA167ac18db91c74eaaaeaed25fa6f1ca3f5c4249ac
SHA2563d780c82402c88e1935813b4835815262a9e1bb7b72594b4f6458a8f0b1bdae0
SHA5123746083fd290051c9412b5cb311746fae2aaec1143a03be3c3e5e17fe1d347ec99bb5127ecd737971c23ab78ead46ddaa8adf96cd15c200fadf662a56ef9bfa6
-
Filesize
1.8MB
MD5518adda297a47887b960533341b5866d
SHA1931acf49b2419c919c28d6054b9b07a9c93db6be
SHA2566b0a5d8d900ed030c38a3c658b41e62a988afd5cffc557bc033e5b733548969a
SHA512b983b12da2ad137a0004b154716f322293b3c45221b9cb5b9d2b925321677cb8124c3ed0e319111ffbe0158cafa0477eaa69b4e9a52994d916d24df87ee08eca
-
Filesize
1.4MB
MD5dbc979afece2f8f9848fc7280aafd567
SHA1d45085a074130af0bd16890546d6ae0868101cfc
SHA256b89e63d4836a8d791981665edd074790e48d371259decf330232c041515762d1
SHA512796cb09d9a362dc57abd464f5a91881fa149ba70e2013610e3e106292eec376b9f2c1ca7db92de30fcfa829c995b3608b90c73085b3e768895e417cb8dfeca20
-
Filesize
1.7MB
MD55eeacf7e020d6bcede798dfe177e1ab4
SHA1444a0b70f05b2231446ccd7dc08f4bda7999d629
SHA2568829f15f5227edae98a0db7d53d594200c18263c6926d14d87df276fac0615a3
SHA512d894d03c172635d39496083b33d2f5fe5ba515094f5c4c8aba7ae5061016a628cf35205a729bf3ea3524b998d7088aa1918ad66201402be2df3074ecaac0fe9b
-
Filesize
2.0MB
MD592644916be0257419fb61fb3c0c1d767
SHA15014b17cf89b86323605863429cca99569cc4591
SHA256f7d7bd240f920af854ab0072f73e923d89ec5f13dea0b0c503c8be88de7f53d0
SHA512426a620954185ebf5f2ecb8a9b475de78d03c2baf7e0064461857a360d5de32b613c92a63f77e84e956dba07b4556fa38dba5ca430e43872a7a43a7574f68632
-
Filesize
1.5MB
MD5d58cb4710c686882f765a15ed4d3b694
SHA1884925b58a42f9d9371d515ba0759d7841048e9b
SHA2561f85b0516d414465add000b54a927cc6080681d197ef5f2f4da0ddc406f8a493
SHA51238ce1d5aaab137bca5aaf1c41a7cdda5865f354b99e6a67944843d00f90d0a9b24d0beeca71bc84e6ed938530f8613977a1090ab9d00af25ad8c403bb0382b24
-
Filesize
1.6MB
MD5cf55c6d2448724b2c5a9018724984cd9
SHA124d41b49a2206919179544494cfd9ebb0a2d6e33
SHA25624b6e586ce1b117b40104198e4baa338a91318f5b22b022f172ba97631f702be
SHA512e520fe63ae0ec21d9f33156368e1586b9db3b0b7967e92705ff8ee7bfc8ae4de1a80cd000e6268f09fd7c132661dd0d1b75bb252589f78813343e38bf8717768
-
Filesize
1.4MB
MD5a9a2e4c76dd76402aa52b7e8a45eb6a3
SHA15dc8c51ebb52d23b0dac8fefacbf7a72c4ff3d0a
SHA2560e07735df19a479b6db667adb50f2e69b8ab19c1e5e157bd21cb6c4580b3fc07
SHA512561d2de716e54407900a3faee48cd7bbbca162e85464210a7309b189da88950070da8d1bb25d87b2352ba34edaa331e4b318e468399e00a1dd311d3f6852550c
-
Filesize
1.3MB
MD500dcfe13bd5f9f01fa67612d0e22fb56
SHA1a60679dc19151c57eeb40c8c663dfd7947a01fad
SHA2562369bbe062a81c94edc98a682b5ef0d51460282a651beec9f12e1cc030144e8d
SHA51266bceb6099c16487fe6d7885d81382c6979890adc67fa00049872bd773f0884cbda748143d39f446ff31246a602ef1625c559b940aab8b16ec7c7da8a3fdbf03
-
Filesize
1.6MB
MD5680fec96c4e6be4ae9ec9145ef505d76
SHA16b1dbf1ab564b0a9d8b7bc95dee24389e2c9d15c
SHA2568420c8a5b19032a6f6a964aa6144a4e08b438eb9e466fb4f28adb75fa9b8ad1a
SHA512bdd42ecf04f51ec9fe41358fe0c8d8ac7b9562547a68e1bc9ad9858d38221ad767ac9cc6fca12a525d517ea556d9887054fe29f1ce03d1c5897b44d41c7d40b1
-
Filesize
2.1MB
MD5254e8d12b995b569079ba85acd189227
SHA17b3b9c286c2adc70c859f00f0d66556ed7931cd0
SHA256ddc378121c614bcdd230fab117163a4ac5d75a38c789fe321c584673997fee39
SHA51286cffc47bca86ae9f884e049ffab501a0b24d07fb26fa2889a192ab7b159134aa172e642230bc2a7c9e4dc3a1eea09fb2c3d067d6de470645da73a6d47568e73
-
Filesize
40B
MD595c33cc1969930fefbdb95f99b2a9882
SHA1cd2cd226b2c6f6de0bb090f9ffadb8e643a23970
SHA25653b715becb7434a9ec7cebf218a7397d5c30fb50f6d3ac578728024f00ba194e
SHA512c5992c3d6c1d20ed54d7e8cee2d3ac42d929812b770ae770881b4d09475b23cdd5afb323f401ca81bee5566f09638581f8e86b717bfdaf11596e7398978070d6
-
Filesize
1.3MB
MD53035a6d27acf77f5dc7e648b595e4ef6
SHA136406ca899028099cc38f53807ec0800e31f52bb
SHA25638a823dd91bfc27c4d7c099912380a40eb1db6af41b7d76cffbffda09c94de9b
SHA512b2366c87683c711e25828f37ce333df6d7a5cf2fc21347501b26c620a101317549625b7f282eb36f5fc0c2c89ae00bec1d7b02c10fe5a2476efeff777d2b6b6a
-
Filesize
1.7MB
MD51f35d865b49bf4881ae480a94a9494f7
SHA1ef3f0094e76991f06076a89f19bb9deafa6a26d0
SHA256e60d9cdb7dc4b63536c5c74c5c18828c80068826b76b2b2b97465b282b47a389
SHA512e26dcb5f5f8e006fddcd2997802877541c4fab307ac2aaf5a838d5a39b4e3892eb184cc5bae7945b5a09994839e6041a580f27d8df09c7e839ef0264a16a5b94
-
Filesize
1.5MB
MD57e5a27d0974f51390ec777b3b0be1a56
SHA156b01ed9abcac7a41d39b428eb5cc49cc23190c6
SHA2562e886abcf82f102d001901ce023f012933df427c82277be426129a51ea110397
SHA51293bd8bde8a3665f1f754656a4446a91100080d14d3823c71cc576677a9a14cd7853cfdfcd3e520e8064501936292a2c840105daacaefbdc5c81736d6b00f8737