Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 18:09
Static task
static1
General
-
Target
2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe
-
Size
4.6MB
-
MD5
bcfb9e5546d754972e181d3c2753e36f
-
SHA1
2685a06c9703f3141c4fb4d8f911a33f250728dc
-
SHA256
6602bdad25d60776c0827635609b24b0da3ff0d67e7598875550f95f6dbcb070
-
SHA512
8a31687de8a81211b1b4ab8a707c2dbf7a7e555593efff9ede3c4819a6b86e4724c025d2b300d13f979fa56351ea834b4dc5d8f53a9d303c36132f19b088057a
-
SSDEEP
49152:vndPjazwYcCOlBWD9rqG0i0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGQ:H2D8BiFIIm3Gob5iEP65tUV
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 2740 alg.exe 1812 DiagnosticsHub.StandardCollector.Service.exe 2672 fxssvc.exe 760 elevation_service.exe 2108 elevation_service.exe 2608 maintenanceservice.exe 4444 msdtc.exe 2824 OSE.EXE 1968 PerceptionSimulationService.exe 1648 perfhost.exe 4476 locator.exe 4868 SensorDataService.exe 3244 snmptrap.exe 1480 spectrum.exe 496 ssh-agent.exe 2288 TieringEngineService.exe 2696 AgentService.exe 3504 vds.exe 1168 vssvc.exe 700 wbengine.exe 1772 WmiApSrv.exe 2664 SearchIndexer.exe 5924 chrmstp.exe 5152 chrmstp.exe 5268 chrmstp.exe 5408 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\669457f692be0f3e.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031a135992abcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023d6ac992abcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c1e379a2abcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062d96e992abcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6c399992abcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 4840 chrome.exe 4840 chrome.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 4712 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 1812 DiagnosticsHub.StandardCollector.Service.exe 1812 DiagnosticsHub.StandardCollector.Service.exe 1812 DiagnosticsHub.StandardCollector.Service.exe 1812 DiagnosticsHub.StandardCollector.Service.exe 1812 DiagnosticsHub.StandardCollector.Service.exe 1812 DiagnosticsHub.StandardCollector.Service.exe 1812 DiagnosticsHub.StandardCollector.Service.exe 6044 chrome.exe 6044 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 676 Process not Found 676 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4840 chrome.exe 4840 chrome.exe 4840 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3152 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe Token: SeAuditPrivilege 2672 fxssvc.exe Token: SeShutdownPrivilege 4840 chrome.exe Token: SeCreatePagefilePrivilege 4840 chrome.exe Token: SeRestorePrivilege 2288 TieringEngineService.exe Token: SeManageVolumePrivilege 2288 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2696 AgentService.exe Token: SeShutdownPrivilege 4840 chrome.exe Token: SeCreatePagefilePrivilege 4840 chrome.exe Token: SeBackupPrivilege 1168 vssvc.exe Token: SeRestorePrivilege 1168 vssvc.exe Token: SeAuditPrivilege 1168 vssvc.exe Token: SeBackupPrivilege 700 wbengine.exe Token: SeRestorePrivilege 700 wbengine.exe Token: SeSecurityPrivilege 700 wbengine.exe Token: SeShutdownPrivilege 4840 chrome.exe Token: SeCreatePagefilePrivilege 4840 chrome.exe Token: 33 2664 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeShutdownPrivilege 4840 chrome.exe Token: SeCreatePagefilePrivilege 4840 chrome.exe Token: SeShutdownPrivilege 4840 chrome.exe Token: SeCreatePagefilePrivilege 4840 chrome.exe Token: SeShutdownPrivilege 4840 chrome.exe Token: SeCreatePagefilePrivilege 4840 chrome.exe Token: SeShutdownPrivilege 4840 chrome.exe Token: SeCreatePagefilePrivilege 4840 chrome.exe Token: SeShutdownPrivilege 4840 chrome.exe Token: SeCreatePagefilePrivilege 4840 chrome.exe Token: SeShutdownPrivilege 4840 chrome.exe Token: SeCreatePagefilePrivilege 4840 chrome.exe Token: SeShutdownPrivilege 4840 chrome.exe Token: SeCreatePagefilePrivilege 4840 chrome.exe Token: SeShutdownPrivilege 4840 chrome.exe Token: SeCreatePagefilePrivilege 4840 chrome.exe Token: SeShutdownPrivilege 4840 chrome.exe Token: SeCreatePagefilePrivilege 4840 chrome.exe Token: SeShutdownPrivilege 4840 chrome.exe Token: SeCreatePagefilePrivilege 4840 chrome.exe Token: SeShutdownPrivilege 4840 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4840 chrome.exe 4840 chrome.exe 4840 chrome.exe 5268 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3152 wrote to memory of 4712 3152 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 81 PID 3152 wrote to memory of 4712 3152 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 81 PID 3152 wrote to memory of 4840 3152 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 83 PID 3152 wrote to memory of 4840 3152 2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe 83 PID 4840 wrote to memory of 1528 4840 chrome.exe 84 PID 4840 wrote to memory of 1528 4840 chrome.exe 84 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 4880 4840 chrome.exe 93 PID 4840 wrote to memory of 784 4840 chrome.exe 94 PID 4840 wrote to memory of 784 4840 chrome.exe 94 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 PID 4840 wrote to memory of 4952 4840 chrome.exe 95 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-11_bcfb9e5546d754972e181d3c2753e36f_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2c4,0x2cc,0x2d8,0x2d4,0x2dc,0x1403796b8,0x1403796c4,0x1403796d02⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce953ab58,0x7ffce953ab68,0x7ffce953ab783⤵PID:1528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1868,i,3077013451899170591,16218043667211953118,131072 /prefetch:23⤵PID:4880
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1868,i,3077013451899170591,16218043667211953118,131072 /prefetch:83⤵PID:784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1868,i,3077013451899170591,16218043667211953118,131072 /prefetch:83⤵PID:4952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2908 --field-trial-handle=1868,i,3077013451899170591,16218043667211953118,131072 /prefetch:13⤵PID:752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1868,i,3077013451899170591,16218043667211953118,131072 /prefetch:13⤵PID:3184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4364 --field-trial-handle=1868,i,3077013451899170591,16218043667211953118,131072 /prefetch:13⤵PID:5092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4388 --field-trial-handle=1868,i,3077013451899170591,16218043667211953118,131072 /prefetch:83⤵PID:4240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4668 --field-trial-handle=1868,i,3077013451899170591,16218043667211953118,131072 /prefetch:83⤵PID:2300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4788 --field-trial-handle=1868,i,3077013451899170591,16218043667211953118,131072 /prefetch:83⤵PID:5248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1868,i,3077013451899170591,16218043667211953118,131072 /prefetch:83⤵PID:5604
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5924 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5152
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5268 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5408
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4548 --field-trial-handle=1868,i,3077013451899170591,16218043667211953118,131072 /prefetch:83⤵PID:5944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1860 --field-trial-handle=1868,i,3077013451899170591,16218043667211953118,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:6044
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2740
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1812
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:5104
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:760
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2108
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2608
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4444
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2824
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1968
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1648
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4476
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4868
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3244
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1480
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2236
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3504
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:700
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1772
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2664 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5820
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:5868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD52792a86ec5d426e208f28093aae39c37
SHA1aacbb8ccfa5e463b9d03ea60bfb77c13a5c9cbc9
SHA2566c68fe92be6269491216a944945acb020a2185060194d10ea1bb8e3fc429b5d6
SHA512e9db1548c18ec24fe979b994cdf33ef183c64a4f33bda8ec083e35eb6ccb6cab14f55cef4b4824e43b0ce8852412474adbf95d65a1ef23ccbbf256aa6f8dc806
-
Filesize
797KB
MD59beb71002723b68de2b5943b5aeb4b2e
SHA1e0b9b6101eb14e46dfc55450e9067903e8270347
SHA256056c887726d6e3f07965f08e68a9dcebdbaaa702ad570af9ba3d945f51fc77f6
SHA5123064bf145677f1a8c00efa8cf811e670d3121a4c22a932756bb37a64301b2c547007330811c1c35b8803694cd73af45e1aa4e79f70954a7126153f220812b206
-
Filesize
1.1MB
MD52f24945c5f990bdd09ff9c28c3e9c211
SHA1897b27e83baccfc1d91474572f3a6b6217837c2a
SHA256afd6ac1238ae42cc8064825f26c2bdc9b5d7347b3f46109ac36a4b95740c10c4
SHA51252ebd10cfc46b73fa0425b620a932312461f640cdbae5ddc0bd96450990b80e1f36c34a069ced36143021151a21b1c1a770ae7afd6d5d07e1c1c56731d48ae22
-
Filesize
1.5MB
MD5239456b91fc337fa7b33fafd9a8eb1c8
SHA112c40fe9bca67892101496d25e60d157d6cdf66e
SHA256e44201bc5f3a7ef3345fe53d94e76f8585168e8cdff52138fdf7ca3d47e224d2
SHA5129d2d398200dc26836535471bd05a263a3aa1dfee62aff2c8f82f68401c2d04a9571403d7af3300d99a73573fea65b4424a35e3b969770370f831f0f51000e390
-
Filesize
1.2MB
MD55bade30b41844347f5fef7968fbc4d30
SHA144ddb176acca2b79bcc1f892e98b8efdb98c41b8
SHA256e14ff1515278ea6ee118a145e26c127f5224941bb1193c96529e85dec57f8c95
SHA51266a59d40cbde68b6473541b2e5c2ac2372ed06ef27e36c130d7e12c72d0e1c119704fff2b400433c8aa859e005236a16c792262d4c3770d48d6cc8a2e8225622
-
Filesize
582KB
MD556ebd1ab80701a7eadd125c307222e53
SHA179c76f8ae221dfc0a54387e3fa55f770076a3d3d
SHA256e13d0f93b46a291d06021759154cb2de25bdea90448e1998301665b42a3c910c
SHA5127a2be9ec058d0962e9cb6d87d9158fcfb0224fc4956b9f8b952c79c60d3cfd35e2286f37c61c7e6e64ccdbadb25bb21dd3d033be4ace9d776747e890aea26783
-
Filesize
840KB
MD5543e096c8a12de9e4641cb4e5e7c84ce
SHA1b9b6070c2df94f74fbf8013eac57a0e702323594
SHA25632a13c4b78b82b4a4cdaaf1f78bf0564082029256ff58ed80ef2631dca970c9f
SHA512d7b3bacf35a6f07b8d1ef09dcba570f1df4fdb6e3e4bfdc763fbf4204ef3223e2aec4bef6314076e5cf7ebe423a128f3906a43686b331eebe3e99ee0573162f4
-
Filesize
4.6MB
MD5706ce6ad0b8f5d7fd36f003ee8552125
SHA1e0ab60cf4759bf02af8f3a1ba708087297ccbecc
SHA2563e1c406bcd797fcdbeb814b286d706b115258736b2d5778bc6d496dab91fdd51
SHA512a4e60e9d4d934a92490cd946aab678ddc20eaff4c64028902da0c6962bed45cef4c2091a32036e9f469697b517f448034ba2457ed6602c3fe6c0d27bde90f4c9
-
Filesize
910KB
MD51bb97295519169f469ef37f1c22e71d1
SHA1ff42c0e83bfb874545836f24fcf72c9df86fdbd1
SHA256d45309281bd3949373040620e8882df14ad0d62f327a8779ce17127a2e48b52a
SHA512d20028ae839f3edee0fad1fd96f17502235a9726cb55aa038159a324bbcd089b550c4f6fd1aeac7c7bbc515569c294abf75e47d5a71708983bdca6de70ce1eb9
-
Filesize
24.0MB
MD5fd4ce5ea39f84f626d28c0fa3a1bea46
SHA13a02df5e843f47a8bcace5cae6fbd02c435bc5b8
SHA2563585c719b715d279eb8eb19152a5952361a00da57af74dfe5e49bfc149b6f4bb
SHA5120649b760e82325658c11e39ca5559ca3bfa2b75d3926ceb7bedc5648d56371aa46212809fbcf125998158eb0a1737dc14e4ecf5970983358a63468b93b8f3ec2
-
Filesize
2.7MB
MD55ce5ce062006044f89a061d8b925ea14
SHA12d11aae1a2ddc41f3af4ee6a6cf0b0defe6be05e
SHA25636551eb5506051a17d86e26ef899f3e70db5ecf35562246e73b52abf85d7328e
SHA5123d4fd98e0b5f9c7e1afc8f578e6bcfe553c7e4f89ad2f3e9ca198b22902176262b7d6ece1b1511dc9d9df0c4f063815b8725bdbbacbd3b419a844821f65f0220
-
Filesize
1.1MB
MD5c3504ed3b15e00dc099ba6053e125b57
SHA19074cfed4594585c80c92a96a26fc8aa8b0304cb
SHA256000d00160613aaa17371aa4ad51fb812229022db66e973e95dfb12f06325cfcc
SHA512d818431ee855c71077c5a1ba881cd8d380188fe5e864e3cd3ee187be87977a7d89b06b7567311de980019f18de7907fbb2f3e18014e82097496b46cc21ef1144
-
Filesize
805KB
MD5d1e63fb90ddda8c5753af137be06e16a
SHA1f5120c9c9902a9bc734dca3e17be9742eac8e881
SHA2562a41b8fe109c432906dd0ab843c8d7dbf1dd1b517991392379ab944138aca8d4
SHA512d79eb6559a55d4db70e2f9f889a92752905b70a20547b4f65e96d873abf773204b0ab60de34d2d6272f366103c147cf7e26e85c5098c880f508297d2d8aaae30
-
Filesize
656KB
MD52a7a4f3e4191ffc5f9633cc32fc963bd
SHA12219a012f34719a2f9620ff17d856addf0500715
SHA2566e6d3b07c723e94c0eabd01f9a954bd184759d65899a61c8c758f187e9d2c6c1
SHA5129523b0dbdbcdd5940a7141a51ef572188e91abdce4e16d24ebf6be8eac543cc9b1a4fc2f8d349e7b4f2b6a83080eb601d3d55c4d4c6235fd57a41f2fd3c8135a
-
Filesize
5.4MB
MD5a3851600b53947b7142bd53a632cb5e9
SHA1fcf459f58b30902abd8024460c83b1b240d9f792
SHA256c5e344666bc2a05113f2ec05df2baa6639b72ae21ec87553ab1f54b1ab406785
SHA5122139f4412077c49b4491389fe88f7bbbabe3acad414b0ddf04abcf1ba2138637cb400a916582c27c3ead9ca2334b913571de5b9e9a93358554b16b369be325b2
-
Filesize
2.2MB
MD533f420c3a321b969600c3edc506cabf9
SHA179190a635d1c7fa6af63bb7af7639869e919b448
SHA256f8d552862c503f902a722d530500275e17e7e1b5414a633faca71b97c44b6023
SHA5125410b29f7250836149a7fa9fce4def56e42604d46e53a080c656c8614aec990e76a56ae3e26d521bf2675bd4202f6237647cac6a6321905fd62bb34c7458af21
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD5c1f1c7fc3d0a716894a65570f4ec7a4d
SHA1f64965ccf244572ffdc32281559ffea0189d86c1
SHA256d3cdc39d56ec699360ab7c725ab45eaa4b5684a15299cca1af92ea30dd6f72b1
SHA512a0d5e9adc3fac64cc9ddb2e3f1f8b93d3bb52ce9361f7b80840c0c48cd209b467e2d6349e46319de7c5886e8511f174e350249f5fd91e4304bab8f6597a8f3ae
-
Filesize
701KB
MD597ff594acbd179fb1f2ee236c94d9017
SHA1b4061157099b667025b934c11dfbfac223d9dce3
SHA2566b049abe480cb18e80c808796f1a65eb9a598827f6a38d2758f301d53a90c741
SHA5124d79fffbe7696a03bf62aa875e0550606b28ce5455d517c10a068d7644a3e659ce1a725ae43f1d072ce1e6d7d76b0bc50387eed460e932494907ff86102454ee
-
Filesize
40B
MD56123155f7b8a202460ac1407e231fbf4
SHA113121f6000a380f6621bcb8dc7c83f9cd10ab626
SHA256dc3766fd1d9f14e305d5483a9e886548c3ff3ad2d8497e26a04c6d8c31e7be6c
SHA512ef2e48a3517f58cf068d2ed9e202ba4d2a54afdccd4937c74b5c84d5c4fd47d9b92ddcf3b842a102b426dccae53ab3bc9e571a5cf27cb315be4dc58bdaad34cf
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD556d5a033601017de7ee006f72b174fb9
SHA1c05d12bb70e679ee38003a45ded51a82e94ef99d
SHA256389f64899868ca31e836661c8d246397b63b83eaf4ba71310ba7bc8aff395d17
SHA512d4ea5ad3c355ccd94b1ae56679fe6d8085c9ff4765f1598c67a71f6215f2cdb09bc35030cf9049e30d1d31a32b92f9502ce4438ee508624346769b9bcc60f3d0
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD593d2fbbda3115a35000ab156cb5f372a
SHA13eb9d594796a1e8411a63b95b6dff5e23017cae6
SHA2569f96e94bedc0fb2efaabb5d6f9b3a7343c0e863852c58d0a3d1c4507c6e97c44
SHA512bdb03beca8569386d5341567f18f1fc2ada6a00c491037b9269ae3af715ee913ae8b2c530af3bf775c5ea61b2b07ca10aa910c40b10abf87061b3f0c5a825d7c
-
Filesize
5KB
MD5bf12da305dc50f9cd9940cd758d46445
SHA1431a3db6e8705bf985f0b0bef3c136f922530a74
SHA256d2b444b47c8d0a3a381cf3256739b8e4f8816147a74639946a8803f2c0285cc4
SHA51266fcbf53040fd964e8e69ecdeeed0bcd2bd948a69d98c15ffd4e3c94ff84c059f598e352a861c6b50bcb7d6b94593133ac04ce865ff518d9b59ce5ea4f5e20a1
-
Filesize
2KB
MD580c9ece824708be3255fd46fed4fa84b
SHA16ab10396c88f4760224c2820d198207c54f01266
SHA2561f8af8464e8755fd26db7cc2bf44b59934126100a43b00a66da96ef4bac4e336
SHA512c8e8c5ce9c0607264264ceb4ccddc869543fc5b9d3929ad42904cefd147938d6523ee61e5ed2f6f46fba1e6c92f8b6dc14300f4c6c7cfb295fe3274677d9ae2d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e7f54138-2141-4d4b-9f2a-62a86130abd1.tmp
Filesize16KB
MD568e32254e33cc359ddf689a8216407c3
SHA1b2a9a850274c92a9c0d5ef27410dc64907b7af2c
SHA2567762cb0e77e48aeb3097e94df6a65b1d384417ea0a747e07024e269164572a44
SHA51288f2014e4145cdc22f6c69e6ed423300eb97a2d3aa89f01d6b8dbde4dd847e1386a5b51c4af51ab4892fc6f96915fc5cfff72cc0279fb8ca4be1cd35695b4c2c
-
Filesize
264KB
MD5d26530b875b0b35701c997abc7645b21
SHA1c67f8791c2b6d7d2b78ea22cba776db85673dfcf
SHA2568ad455703553bfeb3f90ac81ce897672e092cbff31eedab5841a8c5dedd05a09
SHA512192fc4f700c6d27be7fc2444ad7c5b48c3506aa9eda80ad621694aeaedb6fd8601fb97cca91c47d05c0bb7a0951c6e77305c927d407de0661a29887f2eee7cbc
-
Filesize
7KB
MD51fedcb299056deb34b3e85ee0346ab9c
SHA1ebf7b56dda1035ca8646cee8f251267cdef3f618
SHA256280df6aca64f3b06b3382f2d8750e6e6260f43f119792793a928a5ad39587f8d
SHA512087270121edfcdf8b2bcc8e9ee8a812816c24526422f447f4c0e3c8d1ad031514cd4babb1df06f53d0a4917edc005ee9dbc438d9a357006e5cf24ad360fa1e9c
-
Filesize
8KB
MD550983254a271802b4efbc1ebe23e2b27
SHA1dac2fef7c16b0d1679025fd33cc87378aac280a9
SHA25602d59b5cbdd4357518e92f6a0177df5674a8790b3cd527e2478c5139dbb8c351
SHA512a729d55a6a74dff15cc95e49b3318ea6c78615cd0a5aff932e5f63618bcfd33311622d0f79acc7038a4fb92ab7a190e483e30449ec555704262fa359447b9775
-
Filesize
12KB
MD53f21bc3f3d2cb312cb3179d6ede5c21f
SHA131d2cc26d36a14b027f50919b82545727a11aa5a
SHA256ea18d82876f31dc3c2f8b823cba06c05a16ac7afed04ad3be8deb26abbe66d85
SHA512d25d2e3dee49566f4c6fced9c3cd950f20246cd5d6bfa80692403933179aa9a48e062e80cdf3d89912568d12148a83c8c6864e9a4979ed3599ca9c8fe8bb8e85
-
Filesize
588KB
MD5fdc7b04478d5f1872d612b406844ecd2
SHA16dca130ddd79fd93e9eb006b412775e2789e3e02
SHA256d72771ecc53c472f64b9ec1b148dedd5c9abd930034e80959580d97ee39909e1
SHA512e62b10a43e23865c271cd5a0b08710ecfe82832b82718a0a2cba2a52600aec5340ad0c5fed0d380ef6e3fb04e103ebb5d69ce47c2ac1f2428775c7879a623760
-
Filesize
1.7MB
MD5b9af5128f89552d0b304b3a3bb3518e1
SHA11b6847ed286cac09f3bf9f9eca1cfa2b09a4bd15
SHA256a9e00b073326dedc2c0ecc94c94885c9a017190dff758d9d1985932ff5e28a6e
SHA5126f9e169c9273ecba98bf83233fadc0062f0982960cb990ce233d44c1339578968ad5ca219fb74cbef7b9f0c3cbd67abf44d0daf6aa72129205146b16466ba929
-
Filesize
659KB
MD54bbc9f813d2ca24d56225e352e87755d
SHA187d7a87958b72b4239739405f40a5e843791a749
SHA256c76048645d4c3397f0f98c9dbfdbc269b1026d53ac6a741499cfb0c91e8f894a
SHA512578ac3dfb7d747c1202a6d2290d3579d5756dbed75019ba84d59e046d65131f6c92ce0c3ce15dc6f31fd0aa011f3f84cc724a997e0986a20d730b9804e5cad38
-
Filesize
1.2MB
MD5f13f2ce06fa7d077d8ed2034aff4235f
SHA15c329f66ecebb8c3493462f6294b718dcef3f4e2
SHA256e50b2b7bc6ca0aa05c4f13dab3e79d8eff65bcfcc17e482e38825ef5d10708b1
SHA51285b415eab59083d8bdece2e86a47dd8f4a6160e633599ec48016b3b6984831e65fdb454da554119da75c0d057a50073418dd596f1df673946fae95b46e1e4fe8
-
Filesize
578KB
MD536a6822bb89dfeabc0bb89879c42e15b
SHA17787d2fd3dcb8c6b3c38e250d35351c291f7fde4
SHA256ad8c8652b74e8aa31fffff9c6a75fc9a19c89f607bbe80784a861b3a86dd08f9
SHA512baf5609a20732cb247891500e6afeb77cf21ebb6b6a51f919258fb949fdde05dec7ceeb7a2ad61e5f1107749039ca2e45707c161a58bd431448ec37d5fc4bde0
-
Filesize
940KB
MD5f15c41365a2d760efa9f03ace5046229
SHA1fa06d97f42fad5ea275df9349a958941bba553c8
SHA25690a0d565e0518ad7ec5b50f89077130e5238e1fd7e60445c2d69e739b20e7353
SHA5120fd2daff29315cd455e0558d03763ed38f6c870b1bb4af42c4e38cf82aa08ba20c10e828c082184aa87fc446d09bf81ea42330fc3747e11b092e88cd2b4d4e77
-
Filesize
671KB
MD59b4b935f11bd61dce5651515433416ce
SHA1cefc23e8a672cc350cae7c047729e24416635627
SHA25607acd7fcbfdbde8ec7bc5c11906372f837d9b8926fc7bdb5aab23f4a93e56fd8
SHA512da1e8b16c6d62629811d14403d6c133cf6d697b9a4fbcd2279731a7490d5ff0184ab22e7f4a46e17cadb3092efc858b441b394bab17b09eba2ed2be61e0ab47e
-
Filesize
1.4MB
MD555bfb74b4134cac26e3f21a243c5c576
SHA11132bcc852d596148178daf29d502679a9b5ceec
SHA256df2d0e715683254de8105b647862061f39adb2275985814b3057ac1d6be1a793
SHA512df404e7ebe8568275de09c7b85ba992faf08215f3252526bbb94ab86fb8d0b8f3b155abeafb09aa7695a36f654ee28ea818217f774da9caa19924f7d8361348a
-
Filesize
1.8MB
MD50dde6af95362090cbbb54400c8d50f58
SHA13dd225bbb4a62bac8a7364c4b77eb77110ddb998
SHA256e688c3f1a6e12f4c1c324fa19f7eaa1a6aa67ccfc57bb61dd30028af02946aed
SHA51223a0360021d21f5d650ce1132b37da970037f419bd2db3f7091e00f22367c95b33d3df1012d904a8f33dc562b0adfcaaa0007a5572b81c564a515ac81c14d25f
-
Filesize
1.4MB
MD5dade75284da5e5c64800cb2d6d43ae4a
SHA13125917a1dbe865a0f7ac07f4f22aa64a1c2fc04
SHA2561575d8fa48bcc53a8df880e10f6917dc9629e96a572e9ca03467f68147a89db7
SHA512665f700d5012f2fbe694eece308fc4e8b76939eb81b0dd24b7e42be0fb46c993743ab756207e527927feec872b1cff3df61fcd63c950dc2ded0fe16ef302928a
-
Filesize
885KB
MD50d3d4739f0ee387c8d939dd05e99d019
SHA158e947bbd6631aad7f7f61a52291a4a31b9c9ac1
SHA2566b6f835f999887cf42b077cf049fc06232c55d909da612ead6595b5cc90f41e5
SHA512c30ee71fe24fe55d04c18de4c1d467f3335e16baf65bb3ad02b8c35b1faa96112f31aac15899f6d158dfb45db79f6b5457640b48c87e0f18e78926cc095aeed2
-
Filesize
2.0MB
MD52bc4587370808f344ab2f236f75c2659
SHA194489c2971063066353c181d6b5df10f4812043e
SHA256eb3bb0135509b1bfaf2035316b4a4f7c7f74c88ecaea7c3735d41eafbe6c933b
SHA512dddeec1168cd56e00ff7393a18dd5ef710e27b13c5199335beb81646164cbd287f2d02a5ccb916d360770e8102d8d57912cfa5806b50437ec03d81b60792624f
-
Filesize
661KB
MD564b38fa415aa22bd97314fefbaebfc23
SHA193c4bc0a446dc07cb7c42e16f0e60116be8f890c
SHA256e0a5f24ee4163b9bdbe0833d0e73b76cdbf14dd98a6dee676877b17f607ecd1d
SHA5122040e885ad79a03ab1d2a308d3e6f273a39b5a2e13250a6861ada958e5347411c7c80398be7a059f17b5200c5ffac9096e63eb71b779f2ba27ea586a5f0693ec
-
Filesize
712KB
MD53d466c11292e9cde55a751c5756ff131
SHA1f4f98dd622151d2f757a2e4efc3e80bb9dbcd954
SHA25653a8a396e7e49ae5039c527392ac88cac036350a9ad24b07af2c15a5586dd5d8
SHA512d4e9b7023463ed1d824ee34918e883f7693a84da6be2cfaabe78c6eb3f253c628560fa86da303cccb77a957da22c234e4676a98cf236e7aa253924c865baec2a
-
Filesize
584KB
MD5b99cce4b8d9d51c3d82f91a195f8561b
SHA13fadaf4ac08a5da5aee61e96493a4fd2595ccec8
SHA2568bdbc132b3cb5509383080702b0b0399baabf1abdea19104f2bf231363181282
SHA5124cd5fe12bbf42344bb73f78419c1c71667784d27fc6153642cad863805d3a68ce8524b592364686ac26b3af9b90e96f2c62dc15d04a5e411f27714a7d10e7cec
-
Filesize
1.3MB
MD51cceae7e9bd38725d4d079c78c568119
SHA181d51993f2f150296ef8c9bd143d5494b514c150
SHA256c81e09fcf29a8b3822a1c2ae72fed32595d9e116d96d44f0988496f0a766c714
SHA5124a19b85cc261d9f7bf07de5784c15501cceec5566bd575fdcced8a25c71267f4e20d17d0c7c54955de51064ff306c5cbaf3d81106d3f8b2c7d93d844407b204c
-
Filesize
772KB
MD54ac36215edec896d70188b93922ea874
SHA1f8606ff0ea11f6da19d5e17cac5a3ee7ae56e2ce
SHA25640e9c16339266096f33ae14b0aac011e6e73ac53141e1e50c7c6341c53fda801
SHA512893915cf9f04cfd726a4fd3f351abd418637bd77f372ebf0161ccb233a532978353da72d2c3bb16349f0dfda416463e6df2931671ccf890ee3717b771add8272
-
Filesize
2.1MB
MD533868b5f9afead8557b4afb9ea525040
SHA1a47fa15e23a35f84b24206f4d177a32c5a4bb673
SHA256938a75952a39e92f264e2c2648b4426f6f82985d8c732c17b2b5a7965101ec28
SHA512e8985c1e732c6366eb10944dea29506fbdf63b063e7a559bd0825459f28a0f6a4feefa912d22e923b9e8f9b4a7168fe8d19d31268ef97601709b8b14ac85d9c3
-
Filesize
40B
MD5f8da1e3912337378c0f722f616cf6aaf
SHA122482c3e69a3b76d24d4e88d30e345654afd0338
SHA256342768ee193e599905624366abf160660028ba384d57ae4da8734bc9473b010b
SHA512b72adac4dc3ef8cd0c1275eaf376da652f8aa271a162aac1a54571f6f93c0e5fe9fec69a9cf380f84fa3ce438f06e3c9c2493a1d422f5d1bf4c46d6962ca9f47
-
Filesize
1.3MB
MD5aa8c67e258927c453d22d4ddacc28f06
SHA11f612dedf5a36628ae0f203a8cdbef354ae3e209
SHA2563619dfab6d9cda159c82973f289b703ee3cfc98bdbc4b30dad1e55a1b9b1d128
SHA512bbc91d856d6470bf0e8ff663887f72e021dd926f2a9a9a73443d3d9cb599cf39220b468891c70fa76fbd16bec51613c46bba05d026e90e59d59f4fdef5e8752e
-
Filesize
877KB
MD548ecba75b7508dd9636ab14213dc2757
SHA1e264e04be765fa1aea59d32d2e09fd3e22de140b
SHA2568c7953d94d719561f1719c0581f6fdbdaafaf996f64615e87ee48bc054595690
SHA5124029c67fdb692aa104f6ca1c20544970c88ad89ed5848876196c7d386f1c4609a450c1935f005879adb27a98622a0b8f503d197a613f5fc91743974d9e5612d7
-
Filesize
635KB
MD51ca1a3cb2f4235e3545e9860662cf0ba
SHA1a1d712c76f415d81a9eb070773c93cd31c397cc4
SHA25639f419b95cbf49122506cf66cb5685a95914c409ad43dacb4e47703f987eb288
SHA51233675a8e5f477d074ba6e158879ee070180dafcdd9a5a750727d84d254ceffe9e96387017ccb10e190125bbab967be8510286bb7e0ba2ee6984b354f5f1e05e5