Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 17:44
Static task
static1
General
-
Target
2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe
-
Size
4.6MB
-
MD5
08b0899c5dabd0332b2bad2cb5ff0514
-
SHA1
f0e936b3d9c1dfa0d28d26c292e7154c9d1f413a
-
SHA256
cbabdf6269b6a4f6c6b6bde6f5ef34ed42df36b7867be8786b0d4082f1384451
-
SHA512
fbc2b8317066ee9a659f1da37c6355d8fbddc2b7b97ccb71fa6910329704756a16c16209ae9f82ca8018a9538806afcb6df0f1fef4c0e2b752496fbf90d027e6
-
SSDEEP
49152:EndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGf:O2D8siFIIm3Gob5iEgdt6N3u5H
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 4104 alg.exe 3548 DiagnosticsHub.StandardCollector.Service.exe 4956 fxssvc.exe 1724 elevation_service.exe 4984 elevation_service.exe 4892 maintenanceservice.exe 5104 msdtc.exe 2892 OSE.EXE 4608 PerceptionSimulationService.exe 1512 perfhost.exe 3852 locator.exe 4856 SensorDataService.exe 1044 snmptrap.exe 2384 spectrum.exe 5096 ssh-agent.exe 4980 TieringEngineService.exe 2356 AgentService.exe 4380 vds.exe 2936 vssvc.exe 1260 wbengine.exe 1480 WmiApSrv.exe 4956 SearchIndexer.exe 5532 chrmstp.exe 5752 chrmstp.exe 5844 chrmstp.exe 5964 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\971ca1e64a48edc7.bin alg.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fece2f1227bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000691721227bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002084a1227bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008116ba1227bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9e1421227bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d07691227bcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fea2851227bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626014806126001" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 4336 chrome.exe 4336 chrome.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 5280 chrome.exe 5280 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4336 chrome.exe 4336 chrome.exe 4336 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4316 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe Token: SeTakeOwnershipPrivilege 5024 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe Token: SeAuditPrivilege 4956 fxssvc.exe Token: SeRestorePrivilege 4980 TieringEngineService.exe Token: SeManageVolumePrivilege 4980 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2356 AgentService.exe Token: SeBackupPrivilege 2936 vssvc.exe Token: SeRestorePrivilege 2936 vssvc.exe Token: SeAuditPrivilege 2936 vssvc.exe Token: SeBackupPrivilege 1260 wbengine.exe Token: SeRestorePrivilege 1260 wbengine.exe Token: SeSecurityPrivilege 1260 wbengine.exe Token: SeShutdownPrivilege 4336 chrome.exe Token: SeCreatePagefilePrivilege 4336 chrome.exe Token: 33 4956 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4956 SearchIndexer.exe Token: SeShutdownPrivilege 4336 chrome.exe Token: SeCreatePagefilePrivilege 4336 chrome.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4956 SearchIndexer.exe Token: SeShutdownPrivilege 4336 chrome.exe Token: SeCreatePagefilePrivilege 4336 chrome.exe Token: SeShutdownPrivilege 4336 chrome.exe Token: SeCreatePagefilePrivilege 4336 chrome.exe Token: SeShutdownPrivilege 4336 chrome.exe Token: SeCreatePagefilePrivilege 4336 chrome.exe Token: SeShutdownPrivilege 4336 chrome.exe Token: SeCreatePagefilePrivilege 4336 chrome.exe Token: SeShutdownPrivilege 4336 chrome.exe Token: SeCreatePagefilePrivilege 4336 chrome.exe Token: SeShutdownPrivilege 4336 chrome.exe Token: SeCreatePagefilePrivilege 4336 chrome.exe Token: SeShutdownPrivilege 4336 chrome.exe Token: SeCreatePagefilePrivilege 4336 chrome.exe Token: SeShutdownPrivilege 4336 chrome.exe Token: SeCreatePagefilePrivilege 4336 chrome.exe Token: SeShutdownPrivilege 4336 chrome.exe Token: SeCreatePagefilePrivilege 4336 chrome.exe Token: SeShutdownPrivilege 4336 chrome.exe Token: SeCreatePagefilePrivilege 4336 chrome.exe Token: SeShutdownPrivilege 4336 chrome.exe Token: SeCreatePagefilePrivilege 4336 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4336 chrome.exe 4336 chrome.exe 4336 chrome.exe 5844 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4316 wrote to memory of 5024 4316 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 80 PID 4316 wrote to memory of 5024 4316 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 80 PID 4316 wrote to memory of 4336 4316 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 81 PID 4316 wrote to memory of 4336 4316 2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe 81 PID 4336 wrote to memory of 3648 4336 chrome.exe 82 PID 4336 wrote to memory of 3648 4336 chrome.exe 82 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 5064 4336 chrome.exe 105 PID 4336 wrote to memory of 4060 4336 chrome.exe 106 PID 4336 wrote to memory of 4060 4336 chrome.exe 106 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 PID 4336 wrote to memory of 1772 4336 chrome.exe 107 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Users\Admin\AppData\Local\Temp\2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d02⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80c84ab58,0x7ff80c84ab68,0x7ff80c84ab783⤵PID:3648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:23⤵PID:5064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:83⤵PID:4060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2064 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:83⤵PID:1772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:13⤵PID:220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:13⤵PID:1704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4356 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:13⤵PID:2604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4248 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:83⤵PID:5184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:83⤵PID:5212
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4936 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:83⤵PID:4360
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:83⤵PID:5376
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5532 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5752
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5844 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5964
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:83⤵PID:5544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1864 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5280
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4104
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3548
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3384
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4956
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1724
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4984
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4892
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5104
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2892
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4608
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1512
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3852
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4856
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1044
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2384
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5096
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1636
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4380
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1260
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1480
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4956 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5976
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:6088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD591cb4111ce7fea6c16b39ccbbc82540b
SHA1fad61792c299653b12ea5edfe8b04278aa538035
SHA256ed010fa2616da7136e35a2b3561fafd28a85ed2a8166ad9200eaf912fbe1d938
SHA512a59e80834ed783e89b2ef47f700ccef2d304f82ffda181844249d01efa439703410a3760fdb5c9fe9fab18da6351b8a30174ba81a54af55be680256fc02a294b
-
Filesize
797KB
MD56a669e69d9ce20cfa9c70e7771b7358a
SHA135e6f79b98aebf98fa42688bd6f18bb23f28058e
SHA2561434d5d887016e0b65cb866c19036a57fa300b7150c5ac070dc73607cc160263
SHA51220a1b10099983682c4e2ccb0bb633d9b5cb9c9f4ca15df09353d1b27eb3e5c818a41839313080b70bb8a365d167f70151aedb1f8d84dd107741e2ccd132f5321
-
Filesize
1.1MB
MD5fc8b05f5f11aa2754d7ddd70ed29c1ce
SHA15f2fbba9a3e118cd941c94327ce5f1c5f7d7879d
SHA256190dc1a2a89934168161f4b1d6e9246564a077b38f245aa8d9c7fd9f76aea55f
SHA51242155f62e154b68b97e1df68c9290eb8ac44abee9c3861ac3e6071ccca5226b85b3b68eebacefd91639dbb105843a58f9ee6a88f6426ed694a94ad631732c41a
-
Filesize
1.5MB
MD50f89b65d2c532290dc810cca6ed9ce3a
SHA1bbaa3bbc391395efbd7ed11dcb0d85a6bef2015d
SHA256b6457603e9b2c77bbb33f240ce0c7822c652c562a3bf49342cfabbc79dc40c90
SHA512c00481d6e88f95d58842b8417c572d2efa5a90e3f866abd56bec170a2554990ce2d99ac8be0215fcb2afadab587dcef99eaf6b3057a5b9cea498eb1b1bfc98fc
-
Filesize
1.2MB
MD5da8e4af95a49cd5154a6798403331bf9
SHA193b10a3f1e7d75092e85745c46e496e87152256b
SHA2565432cb99ee882f73f9a8b317bc89d1ad820503479e216711bc66bb7968a7e88a
SHA5121c0273c1f0ea32797e5c204fa08dce2f4bce6f940ab61b440ba99bd3766408a440dad90fa891060983b5074b1c1659d8e5c1f48761659e6f2e5e3aba6f1dcb67
-
Filesize
582KB
MD56b4e528178f5f4abac3a914b6aa6b9c0
SHA14c157f7e6ac7a29f84f8bb75501119b998b29ddf
SHA25636701799227ee9b5cec3fd035177658c04208f3c732f5b35f6ee2710fc9f16c7
SHA512df7803b8872a7a624c7c804080d2df14939ef62ea14c24352a8d640029958515c8b076744a1edad48e2121fa09d6a3381b93ec1171075a447e681ba9444a97cb
-
Filesize
840KB
MD5da1816dce2238a783b616b9e359dfd73
SHA1b0647fddbd38e9bb746c691e93c2d36c73e2dbd3
SHA256631d0ea2cb31670a64507a38319d83a701eb5dcbe3900c94ac0c4ea7a8e57443
SHA5121892146f027197ca74092037355a157698d8c28c9960347f05b4326d72bdfa2dd375087c9cfe1ff599255af7fc3d0f7aaa0d9af03bbdc734fe310d7580c8d72d
-
Filesize
4.6MB
MD5ab501d1930e3defeff60d66f5577b444
SHA11bf3708fd924e47c67e7edc6a428f75bad1de4e7
SHA256eedfbbe4cc92cb326fdca1fb8e73dfcb02eb73781a2c555ee37b3db891cde979
SHA51219d0f4a7a1811154b60c8e224e670a376648fa2b5f438711ecde3385d5229121afe29fb9d4e8024e5000eb2400023faa0434ac20a7a71c4053235b6b11cd9e52
-
Filesize
910KB
MD51ad629ac0e6b66673a09f128c8e8fd9d
SHA1150680fab521657e6851fb4fab42bfc0475b579a
SHA256ac4ae077c20443d28034628838d196399eecb367387dd6eea8b6c4a5371d8845
SHA5126502fb644701b5dca691ab573e99d4bd6e62a142f1f1c2e885d1af7ae04fe17f81ba9d01186b64634044fb7227654fb3ae77ba660c97d06b5ebf8bb575e6e452
-
Filesize
24.0MB
MD55a81f53fe3f3f0ccc9a686d3fefc8409
SHA142516d5d64fd89b57f464d3bc41b06d57106e357
SHA25698175c4a6aa4add9f5517a4716fb8692e60c020d05796cec0ff810b2b3be7fb9
SHA51216279b601e75159a8970cc370c768383bf05591cd4e9cca88b32584b172ef398f2568dea1913db6f049e5b81da62fe5cfa3df0d0e6060851279be00979918c5f
-
Filesize
2.7MB
MD5684622e476bda434cf393001fda86375
SHA11398aa589326db4479aae4a778e3b076b6c00b6c
SHA25606aa8d3e768d95e4dfe2c1acb9e00762432c5df3583cafba037c720585a42895
SHA512edd0ce784521c6d95c1f9899ec929ed769a6785c5b04bdd373d9e56d718b78fe638c4e8d274e0da239af762cd080a4de532e43a5b29914677732f7a52a6c34da
-
Filesize
1.1MB
MD5f72b5db1b4ee9ea0bb410d790ef5f7af
SHA11b34f1bfdebbf3d3b8bf3a1597ecf00795e1f667
SHA2568fca840e8d0d5252c1e9bf999e40584ef3bf5e08b5bb6dc70001caaa70695edc
SHA512950de01e357f71574034efca282a22c2bc0e32fcff23a11126a84e33a81eba848bf0875b578e11e78a19969b51c60b854b96669ca82e1faf618645ab425e3654
-
Filesize
805KB
MD50ece844040b757be277615a5a388018d
SHA12b1f6fa79fdfb57ba94bf9ae7839d8780ce26d20
SHA2562d4c2eb560f7eeb7c61d17738bded8ee6613b031caffd26c0507c2d6315bc1a1
SHA5121c128c2f2d252c2eb060d2012b5d61279ee31df133cf7288e91a700d189a337afe269b79cd4f581f6822f1f44cc31fa0805ee571f4f35e1634648e2c8adce182
-
Filesize
656KB
MD5b3c7ab0eff3699328ab4567bd3e58d22
SHA1905d3d91402c1995cf5eb182fbb40afb0147ce9d
SHA256f2c50dd4395ae542108fc15ba0f6b44a6494e2c8f7234947d65b3c2d14236761
SHA5126d21346e9d83fb1342ca2d17c34f2596eab1b1e371ed1968b670e39469cbb524ad249a6bc1e93f03ec474f4ee48c927cdca58098207a5ea0fe8bc0617224de3a
-
Filesize
5.4MB
MD573f50fa339657870b319ff700abf7ae3
SHA13cee278e7550c6bb12f593f6f5d2782249f8e72e
SHA256a2cf43b449b85e32f5a817390e62425d78e007cf40e8b596f6770fce277f07ef
SHA51288196f701876c55032255d6cf1c842f2e8ca6b8215044dbf973e53fd09234cf956a32cdb72af9c581505692d3e8b766affa3a8d4668c51f14323e7bd8e2b8b0b
-
Filesize
2.2MB
MD53ae20288e3b73a3c7834180f426715c3
SHA18e5cf2c5a4ac4a62358f9c27beec7d685415911b
SHA2564b893fc5c6c195fcc024c4fb159625b4652ee4e4e90cfc3bd0808fa64ce50ce8
SHA5126484ad1c4f0cf81090e61b1d8e651991ca84d70565d9698ca033067d06a6ec6c3edeac8cc8083d344194773eb712de8e3b0aa5db57671d71efc5bc74a55e1df8
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD5adba759c67ecffccf38b29724ab1e3c3
SHA16ed218df7cecd39affb2176dc08693cf06942f12
SHA256a92e4dcdaa846e40412dba9f4fc80d18dc6e304a07bebe59c8a9a10f30e62618
SHA5120c1ee573f3b6dd9dde65b25ba75558f96866ac16d56601ce8c8427b12370d402d5345c4d0c52b8bd2ba63456189167d92eb1f8afa6ee0f13c04b4ecc5b887e52
-
Filesize
701KB
MD5266ca4ba3c262c1b65215111fe06766c
SHA1211d2cb92d3e6b5de19121389019c7a76d9b99f0
SHA2563f25345880981ae94666984f0ba6d19614b26569a34ad23ff0c4690e2a8fd701
SHA512eb7ba486f74fcfba4551ef7fb28068480ea6caa0802df218cca97aa1ff7361f81e57d696466525839521deeff6fbf781e01a35aae00e2aaa4b49c250dfe1e894
-
Filesize
40B
MD5ead5c5b65992ef68cf2eb90edd0f8846
SHA1e23f95767614ce9830147ec6ba7b0b5ca18a8101
SHA256be7c1faec23a46d25250554bdeb10d8f49b4fc3176004c914f34cd0c8caa990f
SHA512043645f254ad57e33e6968a60ad645630ca980de7555b410631fbc597bdee7402e1f4b15e7d522537f01304ca08400fd58a69609a125e7440dfa3f1bb33d1077
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD5c8ece039929c172679702d5e69f2cad8
SHA1db6936a03b7ce8a5edd561575c7b52ea3adb1f3a
SHA256f4791a8a6588a2a25323137e34bf735eb68147339cfd54f17ad86281897bcf22
SHA512652e4e0717f771f36357111c06a75aa4722bdaeabcbecf4706bc62beed14a2df5928643a31440ff0fcba9f4816ad421e2893f29bae41671710cc9ac4802c5c2c
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5549a0ab54e08f2b7256fcb344f4b3890
SHA1e2a7171a31ae0fdc43ac367f0a360e75b3737a1e
SHA2561923320cb81ed242e976cdc95931144a7ef9394070970529a7addbc6733ceb69
SHA5126cdf23935474a295136ea621b845d6e778bae60cd66b07cf719e06dfc74284da6d7cda7834436d606a95f0444b7c8b02db5875bdeb4ed00ba3d01197ea85b8b4
-
Filesize
5KB
MD5ed80e862c54640898f4cb8d2d4e08cfd
SHA14c29674ce25ba2c8fe51236cffd2a0962ec7b39a
SHA256a2a55bef9c4ecff6756118810b37f126b7030073924dc2f43710a3a3bb3b234e
SHA512aea98c8871dfdcfb9bee53ac97b8ad022009d07631dee2601fe29a05a1aafd26001bd7935c0e3bbff9065f1a9e36a24f4eb43b21804d83a8365cca4d6f1d9c2f
-
Filesize
2KB
MD5056cebe70ead07d8acc38f1ddd50556b
SHA1906167b4de443ef14bb095ae8f196165c25d17e0
SHA256bb4c89650137cd1ed35cc2299d77c4b282072dd0e43418272d06a04c82c3733b
SHA512ba3fc43ac1e418b5c33910a18aa115755a4350b946b3a6589b77361b95f5f109973c3a072b4724ae9590f8ef2cdbe52ad0958be62d7d08ac46fd90dc3de00fe6
-
Filesize
16KB
MD5c7e6e1808e558bd1b129f0f35eb23a91
SHA124e886f767cde632b85f3545047d4b2d9f39709d
SHA2565d213b23d7c6e18732d1c965f627b5e768928fac754b257b51e6394a6d741b66
SHA512d74744ca41721420acd4732037c8b84545cc226691b2ab5f9537cc725b8b3f2790b64676c2460986e810a408198f4469eb2834e677507743e6435504b65072ba
-
Filesize
264KB
MD59a4b502d5c1e1877145d6c883d34e23e
SHA132d6ea8825ffcccb127b86e2dae4178bafdd2dab
SHA2566c57590b19c93408ec833cfd98beb4f6fa9b5d189bc55f57df39cd8e25e82025
SHA51219c165d6efc6c4b6387b6f75f7fefbf46163e683acad3962572a8aaa1307831ae1d700738feefbe4d3cad21a2aeff57be13e42ee1bab11fbe6ac283ca342d2d8
-
Filesize
7KB
MD5b1d79eb95aa6ae4cbd08abed49d85ddc
SHA1fe5f06996776d9862a00ec269c1c0a2e0b26e6b9
SHA2563d0d3749b015bc75fa9a65f0a81d235dc7379be73e76868a707e75f64f97453a
SHA512312579fb39d0880f579713bc902c04cbc298125c9c79c7c8d8fd5277d917dbd43cb651959df46c9530d63071f6cf0803d5617bb6a3ee8d810db049353177216e
-
Filesize
8KB
MD5a9a96a3e813f0c5199cf13db6d888866
SHA1e62269a71ed9c94758a92856500fe0924864b66e
SHA25661dc3aad19f98e72128003bf437ffb9f47513f7025d5a82af009f5ce3e1d4f73
SHA51205107882d40596fa8015d54bc66085dd471977dde48de416ce711112d58e8eae33435ff943b9e2ea4af77e3f1826338c149fdfd1892a2977d83b535f31187381
-
Filesize
12KB
MD5519433321d3cae17cfaacb263ef11107
SHA19051a5dc4960c91ec218d0f73839d76affff8dd6
SHA256a4a5c4dcac55515fe5a70f1c239d6d4d2ce5f9847f4bf13b16f86294dbb0af82
SHA512b3cc04e68694657a89332ad89fac5eb55b50766ac205528f6ab75492b11a71b5d46bd82d9198286620410293f64bf66264ce2a7c5b17cca7d64ca30be11d92ab
-
Filesize
588KB
MD5d7a9ee3c51aa6ee1b38834007fe372b6
SHA1eabc5312c035e7735ecf0e787fe72f3bbdcda85e
SHA2569d8e67eebbf5471927735ccb0342ea5d6f4884918eff21acadd5c9d8f176d2c7
SHA512213a2fede26b3ce35702622d1acb3e0f8cac364393ef2ea2ea0d8590fc46a01587b75d9102e9bf4563d88584aeaf98e6264f3294fdd796b366ce48b2cd939234
-
Filesize
1.7MB
MD503e98a14894bd8510e1ec4c20555b27a
SHA1ec4e9943e56f0a8facc59d92ecadd17271de6a8d
SHA2567715185a3aa759be717d16fbd27ab886101ce0e8649255fb647a463e0e360e4b
SHA5122dd42eb0f157f994f6bc5d92a33777276f87a5dfcb60d4b17dfd16c918a82809f8b88ed0a1d1e26a99680c41b58ff605e68b9f5c9c8734fadada069f189f017d
-
Filesize
659KB
MD5c3a3cca974e45137ff0fc105c3299fc2
SHA195e35c622da972a7e189b4114508aa5c1645c5dd
SHA2569a47a69996a38a154837841d2134ded162f1a214fbd5bda71387ed58861998bc
SHA5123571a09c16d07e4f0859fc1dfc6e831b76afbb7ff658c1a21fd28efc176f2788807b19bca512f2c6482eb8f890e19647a82c3af9c4c74521b1a47c72752ba5af
-
Filesize
1.2MB
MD54bf237900a6430b6546519f8cbd86895
SHA1cc886b9126a99232309265a7da72fae8c0464d3c
SHA256c13e9b325fae2e4e5fecf6a78895c8018959123b99c0e4cb3fdddf893f99a970
SHA512e692f18ca3741b1786c3f8b558bedcf824338aa9abc6a0a50e3ddb1f8dfb090ffee2771089435644f1a3afc20e5beb57d86ff509c12b7812a723b625b2db9e6b
-
Filesize
578KB
MD54092a504a7269526a4f89845c2a4d954
SHA12d9832b7947fbb6d7f137e80dea3b889d36dfd0d
SHA256497845166ae9bbfafaf9e2f0baeccf8dee196cf8bbe7520ee7dfd9d28e8b6ee5
SHA512b4547ceeccc08cff143582d3de8422d083ed6ce1afd4bae152d33047fa25b7bff949ec4583f91a48a73dcfb5a57984d413f73a3a33b7d0dbb275cecc71cad77e
-
Filesize
940KB
MD5249858a8d905d3d2a10d01f5f5730a91
SHA1902c00cdbcb6b17f3832e496ad316f7cd6fb3a53
SHA2569aea2a3af22c6cad690c43222fa408eb9daaa0e5a9ea4cd81118beaa0d0d51c6
SHA512ef37f3f86b65bc5cfab665faa4e63610a042eeae60544f2a159034b4739f263e55bd5c46dbf64125370a0950d870332d05a5fcbfc08717da5a784b17f9042a2f
-
Filesize
671KB
MD529460377cda7755685bbcb3628b36be7
SHA1c4ec61792953088f13056e7bfd5c9aad9d5eb412
SHA2568a1152ec084b95e11cef8c48c3bec814f16b8c73b3b4581753c6eb61bd299db2
SHA512f4655518bcc29b73684f2a9bda833f16abb40e736f7661555c587d7361e2724f90dac824a9165d5b5422e0c59b21f78b8cdaf10f964c9a641ee98a918ecff866
-
Filesize
1.4MB
MD5921e5dfc9a3af34b39caa2719cf4bd56
SHA11b80852504a3f80d01f1a932051bb0d0713f359a
SHA256582159fad6e4ec3cb404732cf9ecf7991390c1244dcb535e71ccc5399fd6955e
SHA512aa26d58cdfe32b9d86c033c2d8d60160c55ad785a91bda8a81621a4aa02d15b6bff3f9e3d496d3ebebca48160248b0de4a9db842c75e5188c222cb5234580dcd
-
Filesize
1.8MB
MD5bacaf705dc185a497531af4c9ee0511b
SHA1e56195c67b29a42c70df278c38b2747852d9120a
SHA25678cb16b8c1ba331bae8b02483a6ac324221976e76a38def044d737a64a6416c2
SHA5123063067cea55d4b973dc51100d0ac20bac4b36dcca21c2364c55cfd5555088f0df3b89738c16e0d6bdbe1d22584ccfba4cbd1451d3bae1c7660a63f85325a653
-
Filesize
1.4MB
MD5ee71435e6f5a9f081a85ba03dd331890
SHA184cce38d7c0073264f8c10209f68d5a3daacc02e
SHA2561d6b0947a92687da60b50a75507f490fbf18363e89dab75048184d376c335c79
SHA512ff621759e9e3a031498a539d2ca3f0d1a9d1a395b1384c85ba0562138ef050cddd8740d1ef28afb485f23e005cf140a8bc9de2c742aab70291a5652b60a46991
-
Filesize
885KB
MD538eba1aa6c2306cd0198af3a8ca57746
SHA1df28e5602d7bf142f647e3d367aadc5eb2d88449
SHA256c1e44d707f59d287ed7ca4c7805beb12747b0970bd04f52dcf677fa98e9de6a7
SHA5123e0d4b1860a0f6073b3371792ca6860dc9dee1d77d711b564048c7964c74959bda2907d3b5732969c2c0b86a9a777db7ad7f0d8624237d3c755945acccda1662
-
Filesize
2.0MB
MD54df6e7eeda3d3063d192c9e1e6fd9a8c
SHA15addd3bfd3b6af0893f20582a7b838a9d6b10b98
SHA256f757d441f430f0ac27c7ffebdd45c39d6552534c67e5d487f52e402aa77042af
SHA51294109cd37c4b6215f045d6a40e7a9b87a50d80d227c2346de3e1f4a6d89c60d42f8dde9cead1e81d6681c677454b90f4b9d08d1147731cd0407d8c05a3139fef
-
Filesize
661KB
MD523a2039f9577ca24a20537ed6becf841
SHA1ed2f227c1bbeb9b7031a7421904185ca0173ae1b
SHA256fdd63ee3dbd507ebfa5ad2ab3eceb58d0136710a6481168aafa5e9787611b903
SHA512e37410fa6950f73ccb0657f042d17dab2cad5659728bac5aee46c69c4af9d29d72a4100ed1bd72b3aeef02204f75c602a6cbe3565d89e431e0cec16124c69b9f
-
Filesize
712KB
MD5cd7fb3eef186d901b4b1deed6dfb7ab5
SHA14918f9196ca37d505e82ea7c9d1bf2956208f576
SHA256db02de3151f5e434b061b12246d0a8a978acb8d7b1537de552f9ef29728a9bf8
SHA5120526282f1f51c8b625eb982b5c92acf7c451612c639e5565508983f2b9d9326b4d3a1f71ed6a9cd851bf441ba222b73045ac1f70418a8e6fad3d6d86a696ee6b
-
Filesize
584KB
MD5bdb640486108fad0f39d209eb1669c18
SHA1a28170f0b7ab823db1916abf77fd25cd155edfed
SHA256ffeb29157348519b839f3874e91b6344d0d1253ba73a93169bd2449890ee6406
SHA5121c8d469d6e9308a7247ed4e445e77d4cb7fefb4baac62dcea87bd51e1767132975b5f732d635516b73894e59480e501e55d73c1e805eca555be46b94fb12e536
-
Filesize
1.3MB
MD55f6dbdb8223a7e203fc7d2ccf9c7bd32
SHA1ebfbd786a70418714c827454c7449733c2603559
SHA2567950a86d075e28cf834edad810a340b9781a82536654b284b2fcdd38e42d4d98
SHA512659adb59389ec886bf1bc7de7f043a7a3970646ea8463d6d53d6043d93e23e5896094c85aa0cd1051a1d597b5090afae9adc0586ae3b17e0cdbb6cf08559b092
-
Filesize
772KB
MD5cf6ea9769560feb8881804d5473a4d3f
SHA1e3b8dfac1c9e78aeadf5a8fbe659731af48b7a91
SHA25602401768feb4e64e86bca5962066c7615e3d38fec95b520427189a52274ff451
SHA5122ba053f0e2d632201a524be7ec3f9984afee0fa92a8937aea27fdce9b77d0edd8d90bf681f1c98bda39ac617fde02e0af7cd7bcd0d0ac0cc1ac9baad703ad616
-
Filesize
2.1MB
MD5098da57ab83599f2af5cce44a5271d90
SHA1f4456f23941bc8f1067ac5cfa2195ad87364bd48
SHA256bc155660a208f7883943c619d415118d2da16c317adbf6053208f3a347b87ab6
SHA512cd45b2c544caa88a13eadb4b05bec090c318972daacb5b3694200c407cc00c22e292e43d7b09b17505e79aba73bbb96dbc5a36836753464ac5643ebcb1623fe0
-
Filesize
40B
MD5295c35172675c56d85b3271fc5adbaf7
SHA1fc8f7052aa2fdfb84e7cb6bf027db403bcb8cdf0
SHA256f022aa4752d0400339634741871e82f3bb6e1dc719e1ffe9b3987e457c01bdc0
SHA51215813f64afc1d8f3fb24db561e3b68c8efcdfe45dd0768d53f85b32e72352c0f22240b9f4156dfa8feb88fde664025c75d3fe6594c957aa961fc010496f8548a
-
Filesize
1.3MB
MD58c50fc621bd9e76ed4e968f9a6b70cbd
SHA113cfd32d061ce34c3e7e36103220d2e0d8f21486
SHA2563a5be4de425085b4a802674bf634ea9389f223aa9e6c3b863dde5894b0463517
SHA512aff82847c238ecaf9daac673672e6a5a6f5baab5ed7929c0817f0609930f2f2592bbadf3b45ab6fd57f34dc7c0c655666dd70b75c2fbcd6be57a3eb16f07c3ea
-
Filesize
877KB
MD5127c79d8723b6aa637a5e6f2dcba4519
SHA16aa4ba79cc0dfb5e61047112c4914c0eb76f2dbc
SHA2564a95dd03c4c4ebe198d952905284185f30ea47769800d1e4c7158a612712d464
SHA5122fcd45fabe4b3fdb518473e605b3ea131b72e92b17b09cd817467ef7a9386fe560bf47ee8f1a4fa3d84ff41b26c0b7282c645cc14d0fae83cabbe25bf9653f8f
-
Filesize
635KB
MD5af60cb12273060e9230fd436108a407c
SHA1c6fe846ab7d0cfae06d02e14427a421d80e67009
SHA256cc61ae3e0a1f0f94697a88358cf3696d2dd32c672a9e6212ce43568f78ab6f7f
SHA512019893118e206b08757275aa3f3d7ee2a5cd5847e2ea6c0206213e6c752c91d0e2fb45bdf0b60a9c5ed47c2bd71ff6f2bd206cad6c8de05b5fe62024e89000a5