Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 18:53
Static task
static1
General
-
Target
2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe
-
Size
4.6MB
-
MD5
55ca08678f751fb95cd3353920c58552
-
SHA1
f41473bae96f46863f43fca0d9f16b48f40ede44
-
SHA256
5e7c7edb35812ca1ce75ebe32d05e7898e47cbe48b6ae4d0b94876dac00378c0
-
SHA512
79da984a6ceb18e9e0b10d5c78aaa596bc769d04dc66c1fcf12f8aead6308b3514e78af03a277f39c6735af3c55ddccf1e0ff68318c0c68414d875a3a031ee31
-
SSDEEP
49152:WndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGQ:M2D8siFIIm3Gob5iEv69CEN6rV
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 1872 alg.exe 2704 DiagnosticsHub.StandardCollector.Service.exe 1360 fxssvc.exe 4992 elevation_service.exe 4764 elevation_service.exe 1232 maintenanceservice.exe 4908 msdtc.exe 3444 OSE.EXE 3448 PerceptionSimulationService.exe 4996 perfhost.exe 5044 locator.exe 4896 SensorDataService.exe 1544 snmptrap.exe 3752 spectrum.exe 4500 ssh-agent.exe 2492 TieringEngineService.exe 4336 AgentService.exe 1360 vds.exe 3160 vssvc.exe 5092 wbengine.exe 3644 WmiApSrv.exe 1248 SearchIndexer.exe 1236 chrmstp.exe 2604 chrmstp.exe 5208 chrmstp.exe 5356 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\bcd86c0ec3a5208d.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000240619a930bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000294449a630bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626056086132563" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ecc5ca630bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab9a45a630bcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0be51a830bcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000396225a930bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074483fa830bcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000205a49a830bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056ea38a930bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4ba24a830bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 5020 chrome.exe 5020 chrome.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 2704 DiagnosticsHub.StandardCollector.Service.exe 2704 DiagnosticsHub.StandardCollector.Service.exe 2704 DiagnosticsHub.StandardCollector.Service.exe 2704 DiagnosticsHub.StandardCollector.Service.exe 2704 DiagnosticsHub.StandardCollector.Service.exe 2704 DiagnosticsHub.StandardCollector.Service.exe 2704 DiagnosticsHub.StandardCollector.Service.exe 6320 chrome.exe 6320 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3348 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe Token: SeTakeOwnershipPrivilege 1112 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe Token: SeAuditPrivilege 1360 fxssvc.exe Token: SeRestorePrivilege 2492 TieringEngineService.exe Token: SeManageVolumePrivilege 2492 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4336 AgentService.exe Token: SeBackupPrivilege 3160 vssvc.exe Token: SeRestorePrivilege 3160 vssvc.exe Token: SeAuditPrivilege 3160 vssvc.exe Token: SeBackupPrivilege 5092 wbengine.exe Token: SeRestorePrivilege 5092 wbengine.exe Token: SeSecurityPrivilege 5092 wbengine.exe Token: 33 1248 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1248 SearchIndexer.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5208 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3348 wrote to memory of 1112 3348 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 89 PID 3348 wrote to memory of 1112 3348 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 89 PID 3348 wrote to memory of 5020 3348 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 90 PID 3348 wrote to memory of 5020 3348 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe 90 PID 5020 wrote to memory of 2652 5020 chrome.exe 91 PID 5020 wrote to memory of 2652 5020 chrome.exe 91 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 4024 5020 chrome.exe 117 PID 5020 wrote to memory of 5172 5020 chrome.exe 118 PID 5020 wrote to memory of 5172 5020 chrome.exe 118 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 PID 5020 wrote to memory of 5180 5020 chrome.exe 119 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2c0,0x2c4,0x2c8,0x294,0x2cc,0x1403796b8,0x1403796c4,0x1403796d02⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc07d4ab58,0x7ffc07d4ab68,0x7ffc07d4ab783⤵PID:2652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:23⤵PID:4024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:83⤵PID:5172
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2036 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:83⤵PID:5180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:13⤵PID:5236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:13⤵PID:5296
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4296 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:13⤵PID:5932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:83⤵PID:6000
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:1236 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2a0,0x298,0x29c,0x294,0x2a4,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:2604
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5208 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5356
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:83⤵PID:5140
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=736 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:6320
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:1872
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2704
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:5100
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4992
-
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4764
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1232
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4908
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3444
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3448
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4996
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:5044
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4896
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1544
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3752
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4500
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4956
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4336
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1360
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3160
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3644
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1248 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5452
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:5876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3144,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:81⤵PID:5952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5ebc3aafed71590f1e25e2e0517d05702
SHA178a30a7a627009baeb86cb9cd30ece667904b2c8
SHA2564448892e94c1b296d335481fa7081b41a29f1b0eedc9dfbd63f3a36b71c80ddb
SHA51233ec4c9cea25fa7ef28be7627499c657ba2d69a3ff04916a6fa3fd4839129623b416ea5c6da077b65ef2812f26f1644a3bc0bb63dd5d862865f66e918464628d
-
Filesize
797KB
MD5d3b04de90e345fd67fc7be5505c645a9
SHA178fc8ae2074a773a0a334b74c9d29b9ee3667e3b
SHA256533052fc94ded824bdc803e433bfd04293c1af5e77291528df7eb52dc55f45ac
SHA5121ab841eea8b225353627dd5ec5692e76985c6cbe5e610e00a1bf8b3f57a7d2ec5880c515490e668b6812d575582bb222ff87ab8d2a1c8bc96702c05e5052ae46
-
Filesize
1.1MB
MD56e8d21e05dcbe8aea860b994047fec0a
SHA12ddaa5a9c26ed7403ae51ea94bd1a26ac9a1bd81
SHA256f84aeb8d6c0379e682ee37912dd6bc1f3e4f97afa962a882fd85ce8155220a0d
SHA512b1a13dc1d4cdead1651ecbd3ca6aa71a69b9489a43aa305c4162b3af48c5f5f5ef0765a6187cf5bedb4b2b915172acc6514b17db5c9ed8bd68838629c9962245
-
Filesize
1.5MB
MD5a74a4559e5ee131ff7b781cc17ac820a
SHA135b209d98a177c9db00e8beb6d905f8ab3190958
SHA256943a19775674fbcd53bfdb7132e18c591206ae203cb469186a65e3aca9a913af
SHA512aa875c01833e3e9b7cb3db8de3db41de325d93fc29a2ceda3d1d3e82ebbb02957e5040bc3a2336d9f6ab26e18e393d1800564b272d2b3c9f78a0371e8d42dc79
-
Filesize
1.2MB
MD53d0c720cd892351cf62d18e45b6445c6
SHA17fe9b244de1eef3d7054f915bc3cec024249015c
SHA25692b2dce928a77c652d1ee82d03935694f7e7511c5e4a6e2058dca0c8ec9432ce
SHA512f925a067681048760ccd36ed897e200c082379e5e4cf6b4ebd9cc00654c43b0690944dea4dd08c97452b95ac4ce43352f3f561ab0121349b086684fabf51c8e5
-
Filesize
582KB
MD521dd792f3568cd8068bfefe7ec684e90
SHA1e5aab05ff51b896ad54acc35ac33b3f9a840c187
SHA256a58ac8e2accfaf92ac8d3ac602270136990b54e3a4ff390e45e867843a5a05a4
SHA5129134a5fc3d5393896ac4c07943bcccca1c0323fa31044f9c5acf57959e74c39e5c5a9eaa9e4c9dc3c613467477b15f9707b54410c639877d0af1b2d678fe99b8
-
Filesize
840KB
MD5208b34d29d1f00ffc9e38c77d4828e7e
SHA16c1f6ccfafadf7aac4b2d58c0333447f6edd0901
SHA2561b2e7c8abfd25f80f70abdabd0458fa1541fa4150d6dffe6fd5c941c408a33ba
SHA512de2780e21caa8f355fb5d603a045386bfbedf5e67d5ed461aa86b6e8f3b36894d5a9aa89a4af6f6504c74591244a0bfe3d151949cb6c20ae286a91f43f724c92
-
Filesize
4.6MB
MD5f83fb25f0304c859f9adf4b9aa5a24d1
SHA13a27c471fd6e37cf0b17bf745242075a2aec9cb9
SHA256f1473c39c8791a2b8c4237b7d5102876fb78bcef37ef736d14ed842366fb2cff
SHA5128ac9b7ba91c166519e72ba1830a4cc31ef580cac0e1dfc8bd14bde0476cec7975e770c5dc8b97b777b488e91bdac778ecff62a2eb89fb1a9a2fdb613bf291922
-
Filesize
910KB
MD55b86a2810dba3b1375228512ee3077d3
SHA1b393e037f6b0381bc9045e71eddf0cf96fc4094a
SHA256da70481b7583eaa1069fe36c31a7a83ad05667f23d5856b7cabb2bbeb4fdaf1c
SHA51208b71df78f050c1f59f74833766a9948bcc00422c0f962911a396a7f0f9d25fea306f018c2dcc754503262fac0f21a1b4d35149ff6464ea08337283da7719829
-
Filesize
24.0MB
MD547f4e38d44167c380601cd43da2f4f58
SHA1f7ca56131ebb5e8ac2790c1dba88ad05c06c5ea4
SHA256a54e82b340ae6b6f4147e41acc4d979f5d612ffa5ce2b8ae572560ee8601285c
SHA5121e1192513e8a10c64c70cda16f8c31e7219464fba2da1f42ea7a69805a54dd6c90abdbc1e8529a546ce478b21796326338a3bd5643b89360c37c71b89ecf780a
-
Filesize
2.7MB
MD5ecb9e73df46d4bb13da66d2c9b0b0bea
SHA15d7f1b0bb4fa47e62362d5c1a11fddf834bd5bac
SHA256a15de249377a3d958767a5753ecec5efab4ebd833aa438f27d38729c90db10f7
SHA5129afe8d000de48cfc4d9372951bd12e0d6fb46369a587bb54a0f294660769c605c8f136769d1275d1210896e8d373381063711d5800240766af3b030326b7bd1e
-
Filesize
1.1MB
MD567c9aed0dd3b5240a36ceacd43babcd4
SHA1a40b81d50ae077d2473cdd693fa2177bd6158e05
SHA2567ac8ebde99881aaedc192089948c6aaddddaa06e07132cd8e207464a18995d75
SHA512fd064ec0d9a763b252fc2bcdfbd2a2389c5037105d9b51369fc072696d6150b2d0fc8ef195f9eb1df0f6a4c39fb47c1591cf1470a1153148a48f69ca390b4586
-
Filesize
805KB
MD5b2ea04e00065f94472ab2c272780e15b
SHA14898967ddbb34d2a376cf7f84a75252ced51abdc
SHA25698acbb8df1577958c57331acc8a8c99c809ba1d656566b13e50e3edb82863ade
SHA512623f8c953986825af5203c88a24ea84b777990f08d0f71c6bc6e073ddadc9b3c0c8efd5b1fbd66fd6fcf38ce16253f51afa83c3c938987b1c0e71b743c59b461
-
Filesize
656KB
MD5d0cc64fa7b9f9130100afacef518dfd2
SHA13f5fdbf3a395a5614530a6600aad975ce0de271f
SHA256d3691abe55a68ea377de784c2354853a3a3b9db1583c5142aaa3cd031e3a6d20
SHA51265b40c19c2d898ef6b5a03b5f3c3bd63439ae050f5943d8ff34952c9ee93703257cbe28f9e4227b8dbfbadf51149078555f9506cb2111a95751e42ca89d4160e
-
Filesize
5.4MB
MD5fbc5ec9985914979849c6d0dc1e3a317
SHA1744e6d25729267b8bd3bd4f107ed1ed43224245d
SHA2563131b26dbbf293ed71cf17781ccb7e13b0cb6beb7853b42eafcb44aa670a3c3b
SHA512fc457c615b8dfc6621a98b08dec7adecdc0a00f08a97ffe3b80fb695a51111fed22693f6a3e3b22f69af9185300eeb9652f8e0d88a2802c3054e83e12e0b3ae7
-
Filesize
5.4MB
MD5d6a0ced2164061738b44b2d278eb4d01
SHA19819dedf37bda9a1bc32510cde0bdddabcb21446
SHA256b54fa531e4eed5237bdafe6b0468c307ebad17b813cd777d69a0d4cb1c530aa5
SHA51223dd889d0d96fbbd628dc8245cfc96c2dd34a405729a9d46e1bd4330256af6572ca6bd32b37c9a1b14cddac56641c8cf4f02e6e82a18655d474c1a4e6781fbbb
-
Filesize
2.0MB
MD5bfb352d5e47ff88e3937a139cc9b1070
SHA1cf190c083761a2de489ce3a47ff8daae45b05866
SHA25670a5e465fc950d6ff41739854499c9249aa52f77682557b58f16ce36cfe5042d
SHA5121a89d2489732144fd3a969e1138d999ad1312fa301ade498fc8fcbef9742b6120aa8383dc4016415925ec6aaeaa5c34e04ac0e7c20a769a9567c32549bdbde98
-
Filesize
2.2MB
MD5eb810c054cc107b8f615d3f6c23b9f0d
SHA1229238481495998116763f72dea3c7e889723ad9
SHA2561a49bf283e4fffc909d7294081d51d8cf92f7916858e9a2505c16929cb05a8c0
SHA512e3995452444909e9c2542733f1d7cc0949e758df7367e2f5b6d9ec2e5cd891349a89a4e937fcbc2ffdfd28cb27e0bcaf694dc77c08ac6c1728a22a2128dba785
-
Filesize
1.8MB
MD5470c7a6a3ac4d6678456c47901be971b
SHA17bf00697ef05c15af51f155b5d7a617660714fb4
SHA256f946aa39abc35b7b92cfadf0acf855132e97ddb7737de9d6e87c9e4ab2f151f9
SHA51256880d34e87f16b6c4d96813d7c57cd02943aeef0a93a1b9b058f9142889d59f05eb68680542809145819efd48655cb4b381aac48497b29c535ec751cbd03398
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD548fc7a66a38de137032b6a21beae4954
SHA13fba192b5a8f2f282cc51abe1ced4aa5fa38d7ec
SHA256d253c9ff6a908cea980cdef04a5674bf8b99ba8fea3f4b546cf8319a47fa9186
SHA512019fb77c2a37bfd5c72aaceef6fc5d1aaa6c5d086c2c0d364ae32c89d7122c4eaea802daeabb6b9bb150d45d45c78ca021855ef811a7d72631a160da3022757c
-
Filesize
701KB
MD537472a5bdd984821bced761264a204c6
SHA18c18d95d000bbc23f050efa591869bcf182f1a51
SHA25600be8f5b0e313e550e2872adb6ac662118209aff59dc8cbcda555e993d199e69
SHA512ce3521a1f1b8110b68b09dda3931d3dcdb96c177410bab1d7dfbf5daf730d21014c675a2035ae1f89b293b10fe8ec5d6fc77e1aafbdb4266a27e486d5a3f1d3d
-
Filesize
40B
MD5e646991f9b7863013f4543e5deea2d49
SHA17d3ab1c249b15c5bc5761baef819fa96b043539a
SHA2560cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07
SHA5128b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
5KB
MD5d5aad58861ea27d452be4adb99f5f90a
SHA146d63932e0d4d36ecfe25bfc4103218d14ab0564
SHA256813f0dd9e27caefdaf5c874ef0740767caa99d6e7300bcb8215b38bb04c83514
SHA5128e7e91cd75b0615dc1de3d71cc5aaaafa8a6c62b1e6f7b64ec2de3af98497e0649b7f0ce2604f0235eef959d9f4ad015de585c3639c07e7da307603fb4930cdc
-
Filesize
5KB
MD55b8863726ac1d2cc99bbea48607a3b4a
SHA18a8cb48c0ea1bc61a949d564034f6f281feeefc3
SHA25649ad474e109f70e9854efcedd75508253271b0c4b5f4ffc039dd2b8fdf994c10
SHA512098df0186f24983141233710b52d43c617abd6eb481d18714c3bbb355babee441d18b83484d1139aa772443e2b97dd02a08a8b73bc975816ffc0105b32519cdc
-
Filesize
5KB
MD5e9c051e119da401f867ab348cafd541f
SHA1bfa342f06d90231e3939ba4a31eb490dfd30dacc
SHA256d016c945f92840fcd41c1a2b95efb7948df660e6ab7ffa4a37396f3de0832b96
SHA512e25a0ce5a9dc94e9ca1fc115b64d6e505ab06b4ae2a09193350b1258fa76c9948d57924852a43da482f40b9734791e909271336b50dd8275627f948a8017b66a
-
Filesize
2KB
MD5c4d12c24a85b7e1aaf85cad983fe7610
SHA100bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb
SHA2566568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337
SHA5120d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6
-
Filesize
255KB
MD580caab93b92cb9a6e99928b495731968
SHA1e66a46d1d124893c6cf4f2b70293433ca0feb17a
SHA256add6c41f7df980a99ff1e1be979c4c1bc238d9ae8fa37f6bb700481fa6990137
SHA5122356dabeee87ca99e53b078915a9b6f3bf0bc285273640f306ff59e8be9db27d467dd4d08aefa9d95535e8d974c5a54ce1c4abdd8d72ce78271eac84765b0a10
-
Filesize
7KB
MD559b03b2dd7f024e92ed5a40cd3993c9a
SHA14584315731a4fdfdb5d586853f811f1a8f6ab385
SHA2563083766bfc4b8554860030eebdd044db3d7269bd9d18f8df78da35084b53b96a
SHA512825bc0783c92c4d0769bb74b98d6c1234e3bce30a4ac51fc7eef8ce541a218692e121683db6b6ca60ed12cc6dad265c5d2edab297a9a9ec3e79f29a7c5cb8924
-
Filesize
8KB
MD5ee48e93e3f7ac857ad26631958ebe793
SHA179ac896a38e5b1c2627ec6171b6a36cf5f8d3ca2
SHA256ec37912fd1a4b995a152d40f8c3ef7934c8a4a203b070316f0809753ca4f4c0d
SHA5122e0f739c1c2d9f9c6ed39c6de6c0d76b95cce930ead609c4c58ff3cf0c70f0abc3e312df076a6512b421e42a7288a823c9e774b6f81c0b4b2b9ce288c97b2daa
-
Filesize
12KB
MD581edc1d8b137d8f3547f9c66e190553c
SHA1d615b8d424f9e7a1e1b05d952862358b04618953
SHA256c1789205f6ac2d09508d6a6bfb3d959494d6b40ad0d7fcad443825ba0cdde9d0
SHA51221e9a8ad39525239ce0b1672688120807c25e481e36bd19a052188b68f489fb7d15fbf4d04f8ad5580a64b5c320fb4281e08d32fcbcbcadf9e03da715148499c
-
Filesize
588KB
MD561c5d8b2441b9326efa807baba80b230
SHA1d5fedad6d426ae3ccd7b0c0033013bf0dacae930
SHA2560b07c7f004751134b4b9fcefda1307bddc1ead0a7a36140f7341a200be5c9971
SHA512af5384307e21df0b3cfd1d59a4c8fcc765de58f245b3ad9801237c2a15fe1e0711df05d806037775ac8a0218a1c0fd76f3e061a7bb70cf057c5d5132232025e4
-
Filesize
1.7MB
MD598a7d5ed19494f4a49fe13ecc5664769
SHA11c637dac4d0d1b405dd864b0c82948982434954f
SHA256542a2871d8f3dbf3c7a1e3cc112dffbcc70ed9166fd8373a970a86ef846ec575
SHA512d4cc169d7c453535a7582152379435d07e9e368aa8d40af87802c9095f96e2868cb712bedf58452ec44bcc942ddb8d9a0b5ac65074acfcb3a60c205dcaed3f5e
-
Filesize
659KB
MD5738932ccab16a6011b3d3b42f027de7d
SHA16feb97a5c13e5c3644135e9b7d51ab0b6e22b0b4
SHA256472c057cf5410e8113555629538005edf27202486fd428e38756f3de937d76eb
SHA512ccb4a61b2cf6214c981fd6e88f80de949ac5bb4a3f83b98360789111a01182b0883b12303d027751640b8a4b3da6697f3d3d28d6a6bdd743913308f885de5467
-
Filesize
1.2MB
MD532974bfaab47035d1ad150cb6d12a2d6
SHA151ffb328c6cc9f9ce8849c15b11c1b5c23e650a7
SHA2561d97dd43ae82db354c967396edd3d6f4466d2a7aa5c85d6094b4142fb0cab9c6
SHA5124019889458a677fbcce12246b51d1754fcaf7f4259191a018063d2719ad563309799c3b02a08aa6ae06beef94a4dcfa6fc15afb2ca04037b083f3dd03c2b6dd6
-
Filesize
578KB
MD5b59b6dafe2e4f7ee1cb2809a3eeffabd
SHA1ac36ee715451cdd22db699288ee5e7d764928797
SHA256ea88645cee7a31a2feee159f57dd0b96cc952f0709da7ef9081023f6cc1382b5
SHA51221135b0eada592d25a2c924ac82f6b6f896bbf0ee083f11dcbf75370355994af6c55a033a1da96e8e60d7a50ce04c2a1b99cd6c970a94e518234f53a6ba3fcbe
-
Filesize
940KB
MD599e20a4a0fd1fcf9912b43ad9b5b873d
SHA15a39056bed169987a6bc7bed1b0d689108684396
SHA256279df47f25ad62ddd9b3efb9ee71b6ad0ab0cbd5fc6670c967619e749a6e4e0f
SHA51246ab7b9b763921085657ab10a5037a0dc39dc67ce189ef83e2929dcb703c56c9d0da1d88c67c261403c954cacdbed61d23ec45046322e922bfbedd0162094ea4
-
Filesize
671KB
MD589abd1a3112fe9944c31f04e8255f8e7
SHA13bfb4d9a38e31136ef24c8f29989173b051574c3
SHA256f4c391d876b7643ec878f78b89d855de6211a25f3fbbafae0c6bceee859944ba
SHA5125d526250c5b3a71ad601a6e89a74cbea32f8abcd8cedba328103a0e1aba150fd0a6c57ef0902c14a21da377f347b63da2da885ac67a77c17d65402b7a6ba1987
-
Filesize
1.4MB
MD5d680a5d3ef5c3b083ed9d3b74b627c3e
SHA1421102a1bc7b61743d742bf5d8cc143828ecc520
SHA256fb067c0ebe945c547875303928d632cc4eb2d0ac98b18195e35a25d26f8a7558
SHA51275df06ef2f7c17d21fc041dfaadaf99a623cc31e6b88ece56b7c3922c5389a4bdf562fecb211bcf447a2da5ec3551ce4907957a385d1f72513986eae8f21f9f4
-
Filesize
1.8MB
MD59618a44af02b2c6ff4b6e6a3daf0fa1d
SHA1510136b819e1b2f269e8cfb1f9350773f6bd5bbd
SHA256631bc48ee2bee0585ae7834c07119598a96cd285fad8924fc0ec18ea3b803d32
SHA51244299f6297c079844245243da61a9bc5cb4cc0604ad1c73aa7ce4f814ee45b9d5e607e01adf190d84cdaf4cc820ea3d75867e531933fb01ed13815450f15b8dd
-
Filesize
1.4MB
MD58028be7beddd36d6eb2d4b0107d5dae4
SHA1adc4079c837e411eba35532abee5306cecd9ebbf
SHA2562b2b518438874df617109f97a806e8d12a3faa6b8202735aa03dd6b373ac1c3e
SHA512e28a89b99ce3bd1c32480c5b8dd28819709ce8f12258e468834fca6b289642c166529704526d404ede16f6fdd5fa17d2cb18c6addca6ab134b8c9e5874b0f91a
-
Filesize
885KB
MD55da6519d6894184f2bb8f83ecbe2918a
SHA1f14aba85a0b6c9f0e82afb68b1d72bda893aa6b0
SHA256e9d9693bb9251d8e5298dbb600c92c4278ebe9c805f598c3ada0be5868ee72ee
SHA51257a635debe40231f083f2ae92d0250c5878b966b42c6a70614fea0212932d9dc239e91b73b67c206040a14ccbb7fac8acd05936efaa759b62bcfdd4f4db9c0c3
-
Filesize
2.0MB
MD508c997dace168253160979888fb70d83
SHA113a8eccc90158ee84e3807fb292a67fd135010d0
SHA2569cbf1fde19b041215fe1f47e93d079629839ec101691c5eefae2f8b1275d8820
SHA5122f3900ce63c9a867e607e0ee7c1e0347b05b04f2b266ef36ba8182fc36abf213a88242cbceed993c95b6a07343a70c3c9e53ee6701cbd4ec320e8d18b568de08
-
Filesize
661KB
MD5fa8640d90ef9358c50dbce41b5f11bb4
SHA1dd95a5a211910563756a804def6c11a4e01b93a5
SHA256ddbdce7d77cb0642359743492695b845a3ac59822a20707ff746a2cec62ca8e2
SHA512ececb31c6c30cdb2f780de2c32b36d94331dd4a8717c169c9a94bbe4cb66306355552ddcd7ba49ab2cd27ae6b9b7ec3ba2dce7af00caeff75321a060c8accee3
-
Filesize
712KB
MD585bde09df5b28370902aa31ec381b519
SHA18ca7a492a19cc79fcf61e77cc2c8a3aeb5db0128
SHA256183fecdb0abc2c45a74d30413b4f42bf314bc850004d99d708c9fe25068facbb
SHA5126df1cc0e19fdd11adbbf34654c1f72729b34eec1b2e948b97d636dff3aa4baa9be78b199b31cdd392423bf6338109385df187543fb38aa784ddba6c49e049bac
-
Filesize
584KB
MD5a8c234ac032d02a2e1dcd4c4dc5faf5d
SHA1d209fcc728472c7b956a9c04b2a98a709e414b8a
SHA25662bcd986530774febdd20bb9276b8e9a8487ac2a46dcbd417c5b47de58217a04
SHA5127059371b289ede591a4d98586f1b52d6bb09b359d96b7207427117461c091ebf90f2e56f18422d6ac810de72ac7b3ce645bf8533f6877a1dc4df931d192bd902
-
Filesize
1.3MB
MD544ac3ce9a4ed9810896ef4a46c1007f8
SHA1aad81bf783264d81be1c5bdfb4ce922ad24ebd0f
SHA2561efcfc67f9e0a18d028e46a1abdc7e6eb802b3ebfb9834a6ddce2d940d28ac2a
SHA51257bc08084d59f41077749e5efbd184dd84125f443041061da51b81c5aeaa2f4af0f73d501e0fc373895d5bf188db92ec66dbfc1a7b4a2c0c024deb0d70038b7b
-
Filesize
772KB
MD5ab6baf23eb880c0ec5c21d09eb99c95a
SHA1bd41aebdbb175b6d40e223e45d135c91fb85a85c
SHA25661c06e6c0e23bd04f897d885c33cf859de964e962f5365ce9c7459c6639b5cd4
SHA512b0e8d1001e9426ea0b1e50ca49d8d9fcf3c055a78da4cfd1f8cda04e195f29595a6c28871284751f5b9edd6d5c7e98a9a3acbd71d5b15bc53554442806a8f6d4
-
Filesize
2.1MB
MD556e7fa1d7e30c5863b792131d6de2252
SHA1c5739ab6b25b0cf15426d7525227f4468f476c27
SHA256a9f186c36a5baf56a681e293a201fc483a3ce01a4e000ab543307e18bfec9ac1
SHA512c25ec95714c714bb1db68f7789e4068118b3109a2747d38879ff2eb805c798f5c63160c9af42e3cfdeda09b4c8f05ba1237bd5a4da0d0ca4696bb2d0f86bfe78
-
Filesize
40B
MD5de12892063f81f60b11c0497ec332fa7
SHA1ccfa0530f55d277c3fe6d75260088ae08d5b7616
SHA256afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae
SHA512441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca
-
Filesize
1.3MB
MD5f3ae634eb93f807db0034fc8a3ffe8dc
SHA1afa4c577949b36c9a57ee3e54a3587a62d22eac6
SHA25666735e66af495955f381c8f57649e8c1801974e69ad9ac5eac86a6dbe38baa8c
SHA5127acf7e4a78d2b411d2c3f66228d2ef9122c5df94e40dbce35285038e37a7225f4f72d61022532a9e02d386f402287a28dfddfc69d4b18f4e3ef681f43fda5c94
-
Filesize
877KB
MD58ecf99ce2efe610ea9b0812fbf215418
SHA11029431e4d6e6922e21a0da1da8bc475749634dd
SHA256a842017153ee713bfee24c04254b37dbabc98b3455e9df898fa9b1a4d0539701
SHA512ad4fc09c76ce765060d1de020f2970469b5ce3ee3818ca09105323b8569a9828c7579667c5b7d6f27c9979941e65f631008f22eb047b858f0ae35a2617f12415
-
Filesize
635KB
MD5d24f4f673750ce678fc7f82fe38c5a5e
SHA1ea9b302a14346f8973242ab5b430662aff0f162e
SHA256f0328702232ca913493aa035d96e270802db12c9c6d6c0e0736b58d8142c6e56
SHA512ab83efb70f7d8d7b0a2324e3067c32cbfb829cf49e72cd800d7e37a7bee9faa6fc43e373452ad6521dfe0a7b7d45b7b053cc3bb53c57de23c23c58fbb8a353d0