Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 18:03
Static task
static1
General
-
Target
2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe
-
Size
4.6MB
-
MD5
ad600fc7ddca5a6fb49ede5b76dd533b
-
SHA1
c29c0deb50745eacd7d1af9dece731142a1f2920
-
SHA256
ac77632f9e93467bf8889972b03378f11ae85e42ce9613dcef1ae81e509f4a6b
-
SHA512
416dddaf3880fe705880b5aa7bc5b6db6208eda8747cd8f6cb8851e50930ad64278d8005d011fa00ee3d9699da7a54d2ac4d86fdc2cc3aed5ede89304b8e4c26
-
SSDEEP
49152:SndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAG2:42D8siFIIm3Gob5iE97wRGpj3
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 3036 alg.exe 4516 DiagnosticsHub.StandardCollector.Service.exe 840 fxssvc.exe 1768 elevation_service.exe 3148 elevation_service.exe 1724 maintenanceservice.exe 1456 msdtc.exe 2884 OSE.EXE 2500 PerceptionSimulationService.exe 3684 perfhost.exe 3648 locator.exe 4608 SensorDataService.exe 3720 snmptrap.exe 4576 spectrum.exe 1796 ssh-agent.exe 4308 TieringEngineService.exe 3296 AgentService.exe 3624 vds.exe 3100 vssvc.exe 636 wbengine.exe 1724 WmiApSrv.exe 4476 SearchIndexer.exe 644 chrmstp.exe 4348 chrmstp.exe 3408 chrmstp.exe 6092 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\locator.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\2a4bf77dc3a5208d.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bac5c5c029bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc12b3be29bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000cd105c029bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e615a8be29bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000427602c029bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075e21ec129bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c409dbe29bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626026419408783" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 116 chrome.exe 116 chrome.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 4516 DiagnosticsHub.StandardCollector.Service.exe 4516 DiagnosticsHub.StandardCollector.Service.exe 4516 DiagnosticsHub.StandardCollector.Service.exe 4516 DiagnosticsHub.StandardCollector.Service.exe 4516 DiagnosticsHub.StandardCollector.Service.exe 4516 DiagnosticsHub.StandardCollector.Service.exe 4516 DiagnosticsHub.StandardCollector.Service.exe 5336 chrome.exe 5336 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 116 chrome.exe 116 chrome.exe 116 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2988 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe Token: SeTakeOwnershipPrivilege 4756 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe Token: SeAuditPrivilege 840 fxssvc.exe Token: SeRestorePrivilege 4308 TieringEngineService.exe Token: SeManageVolumePrivilege 4308 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3296 AgentService.exe Token: SeBackupPrivilege 3100 vssvc.exe Token: SeRestorePrivilege 3100 vssvc.exe Token: SeAuditPrivilege 3100 vssvc.exe Token: SeBackupPrivilege 636 wbengine.exe Token: SeRestorePrivilege 636 wbengine.exe Token: SeSecurityPrivilege 636 wbengine.exe Token: 33 4476 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4476 SearchIndexer.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe Token: SeShutdownPrivilege 116 chrome.exe Token: SeCreatePagefilePrivilege 116 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 116 chrome.exe 116 chrome.exe 116 chrome.exe 3408 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2988 wrote to memory of 4756 2988 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 89 PID 2988 wrote to memory of 4756 2988 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 89 PID 2988 wrote to memory of 116 2988 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 90 PID 2988 wrote to memory of 116 2988 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe 90 PID 116 wrote to memory of 4512 116 chrome.exe 91 PID 116 wrote to memory of 4512 116 chrome.exe 91 PID 4476 wrote to memory of 3864 4476 SearchIndexer.exe 118 PID 4476 wrote to memory of 3864 4476 SearchIndexer.exe 118 PID 4476 wrote to memory of 1544 4476 SearchIndexer.exe 119 PID 4476 wrote to memory of 1544 4476 SearchIndexer.exe 119 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5308 116 chrome.exe 122 PID 116 wrote to memory of 5328 116 chrome.exe 123 PID 116 wrote to memory of 5328 116 chrome.exe 123 PID 116 wrote to memory of 5432 116 chrome.exe 124 PID 116 wrote to memory of 5432 116 chrome.exe 124 PID 116 wrote to memory of 5432 116 chrome.exe 124 PID 116 wrote to memory of 5432 116 chrome.exe 124 PID 116 wrote to memory of 5432 116 chrome.exe 124 PID 116 wrote to memory of 5432 116 chrome.exe 124 PID 116 wrote to memory of 5432 116 chrome.exe 124 PID 116 wrote to memory of 5432 116 chrome.exe 124 PID 116 wrote to memory of 5432 116 chrome.exe 124 PID 116 wrote to memory of 5432 116 chrome.exe 124 PID 116 wrote to memory of 5432 116 chrome.exe 124 PID 116 wrote to memory of 5432 116 chrome.exe 124 PID 116 wrote to memory of 5432 116 chrome.exe 124 PID 116 wrote to memory of 5432 116 chrome.exe 124 PID 116 wrote to memory of 5432 116 chrome.exe 124 PID 116 wrote to memory of 5432 116 chrome.exe 124 PID 116 wrote to memory of 5432 116 chrome.exe 124 PID 116 wrote to memory of 5432 116 chrome.exe 124 PID 116 wrote to memory of 5432 116 chrome.exe 124 PID 116 wrote to memory of 5432 116 chrome.exe 124 PID 116 wrote to memory of 5432 116 chrome.exe 124 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d02⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff269cab58,0x7fff269cab68,0x7fff269cab783⤵PID:4512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1912,i,7325083813853303863,15650312182383035393,131072 /prefetch:23⤵PID:5308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1912,i,7325083813853303863,15650312182383035393,131072 /prefetch:83⤵PID:5328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1912,i,7325083813853303863,15650312182383035393,131072 /prefetch:83⤵PID:5432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1912,i,7325083813853303863,15650312182383035393,131072 /prefetch:13⤵PID:5472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1912,i,7325083813853303863,15650312182383035393,131072 /prefetch:13⤵PID:5480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4164 --field-trial-handle=1912,i,7325083813853303863,15650312182383035393,131072 /prefetch:13⤵PID:5852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 --field-trial-handle=1912,i,7325083813853303863,15650312182383035393,131072 /prefetch:83⤵PID:1700
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:644 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:4348
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3408 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x268,0x29c,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:6092
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1912,i,7325083813853303863,15650312182383035393,131072 /prefetch:83⤵PID:6096
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1876 --field-trial-handle=1912,i,7325083813853303863,15650312182383035393,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5336
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:3036
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4516
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4312
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:840
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1768
-
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3148
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1724
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1456
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2884
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2500
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3684
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3648
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4608
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3720
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4576
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1796
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:552
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4308
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3296
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3624
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:636
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1724
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3864
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:1544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3768,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:81⤵PID:5168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5f45c11eb6246638b29c02ebeecd67df3
SHA15c0484fd81fe7ac7843e6b8c158c2a8f8b23c4f7
SHA256685e55bd144e41266404d1cceba7592c02fabb138cde42b8669d45e128391b71
SHA512fcc1d48b629c9b45f68ad840b8f0eb6f864823a56d27f84bfc4c1f7df0c32b6e37885eff4933581e0f8a2bd8c68082c373c9fce805e2e2fe4fe2a22246b7ee1a
-
Filesize
1.5MB
MD5de51b5f42efeafc1929d9d06ecd2a3de
SHA120546fc6e203be7856358414f1e63246edb041b3
SHA256137db3944ad78686822d6c84f3d0d1a0f57e8c99f2a1061517efab78187821b0
SHA51203f84a97b8941732baf2e577f8dbbf6cf980df2a0d1891e07396210a7b5a897fde77cf76a686e864fb7e399c69eef9b92b35293e430d9e3b51d3ec11e512f9df
-
Filesize
1.8MB
MD5f8745c90556dac2b77a269a55c613e1f
SHA18600988ee5ecbd05cbdb7dbda3e4994d05812256
SHA256ba730c93a7387906e249746f82930736aef81c9c5e4fcf5426aeeff6d583b46f
SHA5123d4280e104de656b469abbce238ff4b8e4e79524d37c967ad1cad4c429c26c74fc7e68efc82bb52acae4a378071d599203a0abc3b8c7f485358cf1a9095b98d3
-
Filesize
1.5MB
MD54da11d1a04e95c99aabb81384e6a2440
SHA15e9427f61de9e576124768ffad53b10a840fc47d
SHA256ca9b8bcb166768d3ea40de67483c8eb90f10f89780c529ddd0e850be1ad20cb0
SHA5123f939c55561fd244757a37b2f5b6e8804d1636d6657d661b95e405d5eda6f0fb9ecc5bbf98988e3bfeb44dfedfe2bc7a086d3bc35092cb6ae5363fd164425a5f
-
Filesize
1.2MB
MD5164e39866e16dd78b8527f26029a4ce3
SHA1e4f5f207b4ad498443ab7bfecfcb2f441891c5c7
SHA25693af94fc50c133bb925fc2997f79aeb620f648a4b31cccb3f03415d45464689f
SHA5120089eb483b75d2f1a40ca5212d0e971d0bc4fd10a0bab023f7adf45862bdf110f75df3ae4d77f93cda539c4cad8a36eac390f01542f0a5efcf7a756b62fef031
-
Filesize
1.3MB
MD5967a000a027c682e8fafb6bf7409eb2e
SHA1579f92f831c000d2b67fb2c777d7a1f1e87f77e0
SHA25697ff91e697c5d046a23393af90a9579ae0f45f06c6ee534fa83348afc3d93db7
SHA512eb28e883ac023eac1a056db98b6be4cdd141824980f9d7f3752cc67ec845bce9689a51fe2a646abe9281aeb6fdd5a3db8629523999065e19343952c098571cee
-
Filesize
1.5MB
MD554668b83c1ace0f863ed2d943baa9e8a
SHA1eefde00aac4306d121ea3cb6b76bb0fea0738c55
SHA2563c7983676841f1be2441f78fa7d1136dd1e40b909cc78be589b0d18a1b6af775
SHA5129b83f784b4e00ec424c055a5a04ef154dbbd89f20691edc63905fd3acab44855eccaaa90209104454b6c59b1d140d913cdc6978731eaa7b250aadd4c1bd240f0
-
Filesize
4.6MB
MD5de9247f79c1234689663582fcee5f5ae
SHA16ad62f264c351e481ec86e1c077ee0c9a4d92af7
SHA256f6630fddf91525d51ddf2dd4f41bbd840f1e79ebf8037bd761f412fff74a1848
SHA512c97701617e68fe407a4bff8fbc9a36feb4a6870851ffd3e3a059d2efa0b77b83f1a79ff1770143885e2558d1c4248a1d7a54f1c29ff1c6a309ba3783aac0843e
-
Filesize
1.6MB
MD505b999cabd175f42e7d385f23d3a654e
SHA1bc82e2853d219104e9cd5f19752041179ec9bd46
SHA2561615ae3d584c98b1f81a93b210156786e77b46639b348a0c496ea88a89890630
SHA512101ce9875d4f21cc7a3f99d00ea49300625db9ee3b97c4f4caa91fa4f907933d974703bdf6ed1ad4a3419fbe64e1a0733e56f5ac1951eaa979835df27242ec48
-
Filesize
24.0MB
MD547f7a9b40c3e3ed9d6762153823a5556
SHA1ea9d612b587e8885a72888259ddf6e31a64a886c
SHA25652b5e4c0a8a0cfe9408d0ac94fc5bd93bc5a7df3e5a05177f7b479869bf2d9f3
SHA512024cbe6eb0645c705a87a2565aae2aee95622532f93e29db74af5fae381269c28196c9bfdc456e868e05dfb0311401c236b32bf74472229e75c737bc1d81c1aa
-
Filesize
2.7MB
MD528f911787e89a001b6779fa80bf02372
SHA13a06e4fe445d8d396d79abacbbcfe72df26b187e
SHA256b1edd034f7ddd3c80ac29a1dbaa476c99af2d10ff19dc844e22e72c47c27601e
SHA512c73c97a1c2f05fd3780064a3518d53a2ec79f243813c018506debc23ee62d49a7b0473a9437716db4b5d89881c468be5fb794625dbeb837bff7f71e37b7e1a21
-
Filesize
1.1MB
MD57f73ac053ce36f9add78d572204792b5
SHA12027183c157a9d41ea3662dcbb9afca0d98db241
SHA256cf897cfe2e5579cb27f34e962470885a9a5a2a49a303ebf9503e803c2d6c45fb
SHA512ea48be3c9c803169b46e9e1b2d367d750135342a1a574e88c537bbe98fba93395c6ec470a32efe7690aeaae24da18d7f31e644a44f55d36496448c60b8585647
-
Filesize
1.5MB
MD5b97b60e2dabbd5954a0bf7e2eb007d7a
SHA12621fa81a742c57f0ef1ec55835cc06bd6ecb82c
SHA256832cf8aa74ac0e51303481e9be7a6d7510f2e8e6cef86805477be093e677d5f5
SHA512b058f6ffd122900a4697f9020ab7c09f551c0bda3d6623adc81cb0ebd3aab8c95071cb84b3d3212540a7bd26ea4df015c16941b0210f47ab37631f6fc2ce542c
-
Filesize
1.4MB
MD57ca7674bcfa7a3c9c81adb20b1ee05db
SHA1b9485f9ef58ce951dea44940022f0ac970883b16
SHA2561df250cabfd2d7f3af7331dfcc3e06859b4d7802a07266a9b3335ad4e0b9fa0c
SHA5127462efd25247b2f5c4664fcf4d3bdb0890a7f28baf6ba0dc70e8a09c30e67b4126761a9f907ee2674066986971b43b3f1f93296d495612daadd3a3fc29bc117a
-
Filesize
5.4MB
MD555af799172f8131cb47ac40567b382ca
SHA1dd4873af6867a8cd4e6db83a707d4089066ff203
SHA2568506d383df590ac0fa8870afcf277c72ba6b87f4c98103c5f5fde7139322543c
SHA5127389f7e7d2ca8bbe7598189dacec983eb0d1b64dc2e831a3cf2854906e6f2769e2ddf8a141c855ee720deffb638027eaec522aeb5e138e420000f086b0178692
-
Filesize
5.4MB
MD5e299c26ef263d99c9ba2fbc9a606da9a
SHA16009546d60baf6adf43cfee017d4e182822aee90
SHA256a98e7ee7428e530e457352bfc69b785cef86a0f944661e5ace1089e2fed69298
SHA5120579cbc36ed9645d650dcdbf4e90e5facc342e0036feed566d52cb6fe356100ead08120be5a59cc83eeb4d638d37075c7485a703cb1bb1200d6da392ec8749f4
-
Filesize
2.0MB
MD5e57ce620a4dc664dfaf6858260442d74
SHA1161f3fd6b5d0b1090e9349b7c9ae1f66c0c50924
SHA25654f3378e67a78d398b5cbb6d28d549c3a255a64f7472b0742f16ca36e34b6b2c
SHA51203276ce5737fbf1e25a9c01da60a36fc9323d18952b3c64259fb4461e8dbadf6b1f00b4dadfd9c55210b204083c733794b8d508f73fbbaac3c99daa50ca2e891
-
Filesize
2.2MB
MD52beefa08e574859be44dc9d48308cd62
SHA151f90d7003678819ca73831f078108f84105f857
SHA256e77b23843bda7238848e9fed52526f4bdb637315695d799a9bc5e5a8b436740b
SHA51202ee2b4c86c36cf73e76f24dbe1eef5c206dcbcca88204c683b86b4dfee872564524af4d6ccb9467b9bf1cf4e8c23fedc46387327c3f59901646a2e7769264e2
-
Filesize
1.8MB
MD583d7550d1726afb45866fe521b28ba27
SHA11dc3804261a6abc3fa234518bf2e85c3a1223779
SHA256079768ba66947de35cef06c8404f296e704e00b48962e761326751bf0e0eda99
SHA512b01c6e2a2f250ab74fff637ab675991b14e5c08ef66492281e99cb7572026c1a3d7f14ecb8576071d7676d6badb992d0d6488eee857914aec5a6f1a2ed0db1b0
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD5c0511fac8ab1df2738d2ca4513ccb8c1
SHA116ad2c6a8dac0d4078b5f589127373a33bee5189
SHA256d520dcc414566fac095f7afd31c171d10c67abbc77eaf9daada8aab9800ab7a0
SHA5122e7f30a78ec2b88bbecb69b2dfa48d3cf02a7045bdfa0e5195f0137777c279ac5ea802028f75123504d693e8694b16e390873f2c305d3a59c143bf5fca3ab189
-
Filesize
1.4MB
MD526140d8282aa9824d427d5bbccb0b73f
SHA1c6b0d30b159105a5cbd219039842a179ca34c74b
SHA256dee5ff1e5f8568e774aa94fcd318d077490f63f6b32f4ddd96ec839da144913b
SHA5125e31d3ed43fd831c6011cdbad705837e6204c919fa1b058c784e60a632e3514e7f97aaf1f752d31e816e67f88658a977a915d4ac2d6d5d9c5fe4108b98e39d06
-
Filesize
40B
MD5e646991f9b7863013f4543e5deea2d49
SHA17d3ab1c249b15c5bc5761baef819fa96b043539a
SHA2560cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07
SHA5128b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
5KB
MD5c13740799d0caa933b421619655eef43
SHA10922bf64d722e6924730ce8fa7dbadc4053f8e9d
SHA256eda06343b6fddbd4df468f2b768e6d1999f662ad59b584643810615fb0bd24a8
SHA512fe7a28453f6fe32a7443f94cfe585827c44567dbb73cec6f8d2574d9011aefbf4c9514c43adf24020d448e1d3774b4f495d17419f4188aa26edf189abed41947
-
Filesize
5KB
MD593cce0bc8af4dc3358be9aec1b109b71
SHA11772bf883b9c9de1e77dcb0ea5e41c9763e705a1
SHA2564242bf85fe60a130728246d1bbc1ddbb0409524b153b5f32ed1f027d4712848e
SHA512b195697c5a574539684ee0830b3bbd2f70fd62be7329804e97ec18c4ee5d55498f7244024f2a797d34c55b5a925422bec1705fcafeff640d07fd172dff684560
-
Filesize
5KB
MD5d358ef6327ca3317cda73d856fb6233c
SHA12fa7981029d4341d3bc97bfc33d10a3e941c1eaa
SHA256fd10197dd8986a31a1d8cf921b9b769f5cc0a6084a861fb43f7850f6687e71d4
SHA5123d964b0482f0c68a7b61c24f5d8ea827b82fbd2f3ec6df4d4a17b316bf7dcca46521ddb90cee0c94ddec35542649a437ef167aaa027be67ea9069ce05704bff2
-
Filesize
2KB
MD5c4d12c24a85b7e1aaf85cad983fe7610
SHA100bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb
SHA2566568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337
SHA5120d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6
-
Filesize
255KB
MD56f5a389c25fa94ca8c16de690f79aa90
SHA11cdcb1bbddacd5f4eabafa20f3451fa88dd8e642
SHA256db5a19c6b96285b5de81091f18ce85ea6dbbd79a5f48baf9071ff7b2404d495c
SHA5126d8d724dfdb519b003095e74df3d1a60fd1189cb6f96716e1670864fbe19b5ecc49b8256a6d55ebb1eb5cc2239263238175792ffae7137c27914f7ceca58d7e1
-
Filesize
7KB
MD50c192d9326e76cc1935234b56bac4e53
SHA18f25cf0989eabd192f0b7a89f56a6299112333e4
SHA256fa350df47a5e1e78ec90153b0656bd06f871da3765da298bb8b321535bd898e7
SHA51230c574f7fe9468e287106fa06326d238dedd5ff7230d61fad7c85c42d9edc257d889511a41a75263479f34e3ce81a59456572fc7c7eadeaf5c920bc4d7c2d28f
-
Filesize
8KB
MD55a0afaa6d8bcfa23c349640d5c51e4ff
SHA1eb481ba20b7aa4eb61fadb067449888dcc5ba458
SHA25661c69e4d9188737f8e0533e535b1967fca5e876ce516a7376612f607d4acf910
SHA512b3929eaa5ded219f9225839646b57ebc1485a846bbda40d70ea0da89c7d6b1f64b91b4c43f37b5caf2ba002391ce5e96b4eba84fceee768133849b8e1fd19617
-
Filesize
12KB
MD5622b2418d9be35b2156bf0cf8c4bf67d
SHA18f89b99df4abc1c93149a8c8737cc7b13edc306c
SHA256f447564f1bb7871f6918c55615c87d16384224e96a518b6d9cf6bff2f7e3d65a
SHA512ae66ae0f16c45102cb9f2b62d3a3cb011c01326596ab6e07b417ceddd1659c19111b1579e7c4504130208580e2a35b5f6e96ce5bbd1ec9afde4c23f00b1a6aaf
-
Filesize
1.3MB
MD50f459838ffb7e45f1b2e32bc9eb6b886
SHA18b1e657f190771e4678563a16457b00eef3ed93e
SHA256cedff35842d4f27598a12b4b9d987da393980770bedacc855a6a1d3ac0e52c5e
SHA51242f91f5bf6f90eb40b4f548db3141a2a62177802ec94bf81d69750c3e9454d19bf9a8238cdc9201589549b3f8b56c2ee42dca08043f6713b49e6e1c0dba4494a
-
Filesize
1.7MB
MD5939a6f7ebac0eb8abab41415a816f155
SHA13f9b5cc2ea3258474c3a19c763194cef502fd18c
SHA25647dcb62338f924f767157716ec8b0de8f291804f53c4fd253e077b6ff7a08078
SHA512ac16afa2617f1f5a9744e945c1bd0bfb99c850878ba3aa76dd4645d0dddad2c72b390cc7ce64e943dae692554e94fd373b44c84b6d31a2ea3c8ddcd2c28bc5bb
-
Filesize
1.4MB
MD527f03cd446335e6343c01d1f8ef4261a
SHA1374316fe315f374cae8db2245166dc10f7342f66
SHA2562b57c8b20c22be312b5f784810ca40d6d892d398ab58f0a8eec08253055211d2
SHA512f94de214897da7a39faae397d4c394b46d6a2faeef44e606121b3e5c0e9afed27fcc51b4c29c326607e8ea56b85572572c7a6aab63930eae03e084615a6476cb
-
Filesize
1.2MB
MD5b6e521a653c82b1b867127977074346b
SHA17538625d4b32f34c7a61baa819fb91adfe6d4f29
SHA256ffdd98d69a7dea3c4a71a0b372aca354fd7ccc5e2e8caf7d62aa6abbdab18ca3
SHA5126f4ab7d5677d100cee8d5f9f0b7522e0eac46397a9e9b6462b4ae0b2f0982e447d8e413fc3064ea67ab969cd751e109b2f473a9b3924f86dce5925272834506c
-
Filesize
1.3MB
MD51edc1a87afb88b9dd41cf78141c63dba
SHA11da61f7de126abd31488e5c2097ffbf355503d23
SHA25606382e5edd2a5abc8676bc285e468a84615700fe77b0bd02859e0c17d06d0409
SHA51240a943592b268ed3ffe3b7099be1acd544f18c480ab801c34e2228d58d735c7f96a34fba2c995ab28362818c0813d9ad48e0755c8acd83bf075924b33ab6e3ee
-
Filesize
1.6MB
MD5c021fcfd00b78a3fba66dd9efbd4a90c
SHA1089280badc5d90cf99ebf3b1659eb5b5b985d44e
SHA25688a20994f0c45e1cab758e0b6df00524b90b09cbbfbec9428485b0be551cf056
SHA512fcdc55fbfa8a119a280eea682477f1894570a027f25750b56d4d7e5e2234d6bdce110efcf254f591b27d7834516ac126dcdd7f6518dcc0ef998db19cdfe95962
-
Filesize
1.4MB
MD569b1a8b19119ea1d7c6faedfa849427d
SHA132276e5103e89d76f37e11f8a334255ae5cf7d77
SHA25645aeb52d2a27256bebc31cf23f80c42f931eee0418cabcc4d963ccbc025ab1e7
SHA512f8baf2e195c9c04be5ad2ac31d1d3cc9525f2bfc47a8f51433627a8bc226892a46de7a2c154e15a42b5bec1fb916485722d550ad8eadce1db675f70fe0360db0
-
Filesize
1.4MB
MD588cf5f7f85a63dc8d3ad8b5265a296ee
SHA1ef227b7e07258e80399032e39a828fa3faf87845
SHA256936432fef765844bb32beb944bfcf5238ca7b066b4752e58e63fc275f08ea2c5
SHA512047bc7a7fb8ef91c32b7d9633283600f5a6de4341f2dc4dcd3d7ff4df9e8d8151b72ce24d865148be1be921f87ac338138b2622b087ccd4b0a790d77ba8d1688
-
Filesize
1.8MB
MD5167f00a6d02f00061ee502142d59c67d
SHA163e77a627199866a6ca5952bfe09227fcad60243
SHA25683e05e735b791af8433d1b3baff9358b32cb92024cc3a95df5dfaadc65e96a93
SHA5123824bb01992e745e73ea270f6f24c5bfc0615af02ed3b2f99755459076e4f506dc8548e3bfeefe9ee6ff4f39726e1f930d8b7b2061eb2454a94966557d7f8b2c
-
Filesize
1.4MB
MD5b936b5f66097442b1af4996a651a13f3
SHA1e778935154e588ea106b8a45f132cc2b6c35dbdd
SHA256a0f1ace40afb519ff0fdd01f8ec8e09ffbc511d48dd8fe15b0be15cdda9de3fc
SHA51270f176bca88ccdaf5b88ead32a3da086a7394005f59206c53573b304da1b9c8f266a162b7ca4da303a0e80213f07649147a331492f4f60234c0158ff1f13f7ec
-
Filesize
1.6MB
MD568880d808e17e1e17845c0e07019575a
SHA1f8b134ca0694fc3832c067a3b93b0703433ce46d
SHA256192ab18b2ab81847f372fa4ef79e622b2a8fa53062c359dcd310b9df26525a1e
SHA512fe4eaf1ebf21bcc895c99b4e7d44914fe51ecf3a370ba25ed9365615205dd8b89c207cc418b65617bf57cc7db804ca28fcf9a17d1aa4ad80e04f111ba897abc8
-
Filesize
2.0MB
MD534fd4125965c601adce3c9627c04457d
SHA1babc7cf40d68a4e21ac02c3b494184314cac3e25
SHA2568be7d412ef1faa2ace2cf86966068a1d1544ed365691b124cc0777d354f7f38e
SHA5123d77863b0a928f4855d39db0b197e7e589508847414c985ae80bb54b5f71cc62399f1eee2fec46cd02a974cfac8b8071e6a776c508b5acf2f22877f423db2f7b
-
Filesize
1.4MB
MD5ef71107effdec6908f0c88851a383b5b
SHA10b33f08d54204eb7c8784c94c6b6c4c5e4d1e5ca
SHA256575dbe7cdf35d96641ece33ef22eec0701313372cb38b014ac92b341eed048ff
SHA51214bf626acb4ac4547f832f7f15fad346a92c203ef35ee58c101e8ecec7448f7c86052004cea6dc38cc024862bac96f5d54382f8afad8d88af1b971234cf2c97d
-
Filesize
1.4MB
MD58b62c892732ac947339b1d18ec54b1d1
SHA176c801cd05acd18bd250de4f534afb7d9febef13
SHA256d838b0436db542b0eabe9ae4454f35422a082d7021c4a7eceb1483c0c193a763
SHA512e939a0d7000a41a1067406cf340b0e3ca71617da8985c4e93f20d84c188e6ce63ebf80affe9f99661393610802d3694252143558d5287588a59fe38f8e55bd15
-
Filesize
1.3MB
MD5bf5dfd9d7e5d8e36224be5f5f5cc61c9
SHA13bafcb852730f9ccdbbf776c3a3c0215a36e6a36
SHA256b7b1ddcd98033c8a191e697db32f20e180fe034c6d73eef17321a3e71832b7d7
SHA5121e18ec1799312eb2814ad2f6fc7780b75876bc49c9e1856e6a38772add2104f8256e11d164599a533064ef920edb90a8dc338b5f19e90cf1a1c64af8fe0bd884
-
Filesize
1.3MB
MD59d024ba7a5fffd2765c9803ba43eb305
SHA1e4df3f6233ad97cf0e7a2b2056e5895d753551ad
SHA25604424ef7de3e1ab76b6cb50a340065dfd3378fae0c156828c958f24525f967d1
SHA5127233d5256a089b0e5c491050b9a56c50327dbe4f74160507b66d3681abaac4082436d94c8075eba7ce6da08e392c54262048f1cb31113938f419c39d85cd15c8
-
Filesize
1.5MB
MD53a8506513c9cabcfd92bd801c762757f
SHA1a102d1ec38ce2b252afa8e8c099413996df84e6b
SHA256d4c84cac8cc7d754497a2c3dabb006766dbc326f6c3cf2e592d28154352e35e5
SHA512656fd0e7c3216ff99c3906a11db229cfaa2833e243bf8b6d68fe1fcda1ab3e76c3bf3d94af819a939db3bcc3a57880e01c552b8b4b2ab93ba416badafea2861c
-
Filesize
2.1MB
MD54c8bb8790db2ff1ea93b037b2950f78a
SHA1a4f674f1bfa2d3f655299f8ad045cd2379481280
SHA2561a99cf346f4f8386d334962f4570eb5e6ec0b048df35bcd8e50fb99753e64cce
SHA51245b4d7959d3619f52fb92be055340d81da84180ed9621c35b427015e93ff2c5efbf45c0bcea268a1b8869066cf1d1315e58faa4aacd510db10dbc3355fd26a1d
-
Filesize
40B
MD5de12892063f81f60b11c0497ec332fa7
SHA1ccfa0530f55d277c3fe6d75260088ae08d5b7616
SHA256afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae
SHA512441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca
-
Filesize
1.3MB
MD5ae5908882d4ca644be8d99d9d8807c6e
SHA1df97804cca228d79e941a751194cacd5f699630a
SHA256c564f4baf58bd03863f8c91fa29de5d8de348b863a5a69e40869298e50996311
SHA5127d43657313d52b617a5eb79a25fa71b28b0f9652ee0d343f356679a4d357502b56b491e4c55a77dcb00681a2a6c5e6e1bfda33c4a78babf35b2a37261fe21df2
-
Filesize
1.6MB
MD5dc3a426c0699705de9c524cf36ea91d5
SHA135951951a97b7963bed82491508217624ae39b8f
SHA256c7f933983b287a111a8fa6c38363b6057a172f737db24108585277c2351c8b0a
SHA512fc1ae3a156f7239153929f78b802f7d2485eb01ffa8ec0887401e125a6303ff16e7f8e99d668c9a57b66a1c0da6db2fc5b1545c5425ac3879d7fb95a94030c56
-
Filesize
1.3MB
MD5b4cfb54cdb237ff5dded56655fc076a3
SHA1e5e27f43eb1db516e8e9ee5b215d5961798fe7eb
SHA256db69680603d8e4962de7c8587f42710480e3a5224498e1043dc9729d3921ce9f
SHA5120747a11e283c3ebc061acc87d786adf881849afe941cf3578e3bc98c9d370cc85c03c43a0a232ba9e28b4a01ed29702b00b8a99233036733305ad6c0d4697f37