Analysis
-
max time kernel
138s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2024, 08:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe
Resource
win7-20240903-en
General
-
Target
2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe
-
Size
3.2MB
-
MD5
9fecfd4c3d7862921a2e06b026a3d5d3
-
SHA1
04c5e957c96c7a8c61ecf850ec7830ab9baf68d3
-
SHA256
4eca1b53f9a34ff31976a838231c91360bfb48175d60cc168c341017d955903f
-
SHA512
91e7cb9af7e52c928b03db69a92d216531809458fc2eac12e5a760f1336182ea2202d5f54e803e481b56de8711e1f1ae1f7010072f116a0b16cf9619ceabcf1d
-
SSDEEP
49152:D5k1YCdptya507NUUWn043oHS3fTGYwVq1/xT3DDbwwTU+ete30jaNf1TWbdz:XNhSqYw8OlU023W
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3764 alg.exe 3428 DiagnosticsHub.StandardCollector.Service.exe 4364 fxssvc.exe 5024 elevation_service.exe 992 elevation_service.exe 4228 maintenanceservice.exe 1192 msdtc.exe 3960 OSE.EXE 2708 PerceptionSimulationService.exe 2424 perfhost.exe 1056 locator.exe 1652 SensorDataService.exe 3460 snmptrap.exe 3940 spectrum.exe 1952 ssh-agent.exe 2392 TieringEngineService.exe 3924 AgentService.exe 5176 vds.exe 5280 vssvc.exe 5480 wbengine.exe 5604 WmiApSrv.exe 5824 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\fe466e5b38f5360d.bin alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86328\java.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043dcdccd9223db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d2f26d49223db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc562dd49223db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a706ad59223db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133739727323707586" chrome.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e50a00d49223db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a17f7cd9223db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1fc16d59223db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000edcd23d49223db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7809cd59223db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008514cdd49223db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009b5d5cd9223db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d2f26d49223db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 400 chrome.exe 400 chrome.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 3076 chrome.exe 3076 chrome.exe 3076 chrome.exe 3076 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 400 chrome.exe 400 chrome.exe 400 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4580 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe Token: SeTakeOwnershipPrivilege 4916 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe Token: SeAuditPrivilege 4364 fxssvc.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeRestorePrivilege 2392 TieringEngineService.exe Token: SeManageVolumePrivilege 2392 TieringEngineService.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeAssignPrimaryTokenPrivilege 3924 AgentService.exe Token: SeBackupPrivilege 5280 vssvc.exe Token: SeRestorePrivilege 5280 vssvc.exe Token: SeAuditPrivilege 5280 vssvc.exe Token: SeBackupPrivilege 5480 wbengine.exe Token: SeRestorePrivilege 5480 wbengine.exe Token: SeSecurityPrivilege 5480 wbengine.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: 33 5824 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5824 SearchIndexer.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5824 SearchIndexer.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 400 chrome.exe 400 chrome.exe 400 chrome.exe 5852 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4580 wrote to memory of 4916 4580 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 84 PID 4580 wrote to memory of 4916 4580 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 84 PID 4580 wrote to memory of 400 4580 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 85 PID 4580 wrote to memory of 400 4580 2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe 85 PID 400 wrote to memory of 1488 400 chrome.exe 86 PID 400 wrote to memory of 1488 400 chrome.exe 86 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 1924 400 chrome.exe 91 PID 400 wrote to memory of 872 400 chrome.exe 92 PID 400 wrote to memory of 872 400 chrome.exe 92 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 PID 400 wrote to memory of 2656 400 chrome.exe 93 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Users\Admin\AppData\Local\Temp\2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-10-21_9fecfd4c3d7862921a2e06b026a3d5d3_cobalt-strike_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.159 --initial-client-data=0x2b8,0x2bc,0x2c0,0x28c,0x2c4,0x140221ee0,0x140221ef0,0x140221f002⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc0c2ccc40,0x7ffc0c2ccc4c,0x7ffc0c2ccc583⤵PID:1488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,7501576214604955545,16031000360661419839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1916 /prefetch:23⤵PID:1924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,7501576214604955545,16031000360661419839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2504 /prefetch:33⤵PID:872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2124,i,7501576214604955545,16031000360661419839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2596 /prefetch:83⤵PID:2656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,7501576214604955545,16031000360661419839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3124 /prefetch:13⤵PID:636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3068,i,7501576214604955545,16031000360661419839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3308 /prefetch:13⤵PID:2220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3636,i,7501576214604955545,16031000360661419839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4480 /prefetch:13⤵PID:1480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4660,i,7501576214604955545,16031000360661419839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4328 /prefetch:83⤵PID:2668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4448,i,7501576214604955545,16031000360661419839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:83⤵PID:1880
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:5688
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff6b8594698,0x7ff6b85946a4,0x7ff6b85946b04⤵PID:5768
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=04⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5852 -
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff6b8594698,0x7ff6b85946a4,0x7ff6b85946b05⤵PID:5884
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4436,i,7501576214604955545,16031000360661419839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4332 /prefetch:83⤵PID:5872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4900,i,7501576214604955545,16031000360661419839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5116 /prefetch:83⤵PID:5232
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4720,i,7501576214604955545,16031000360661419839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5016 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3076
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3764
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3428
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:5112
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4364
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5024
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:992
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4228
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1192
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3960
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2708
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2424
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1056
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1652
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3460
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3940
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4560
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5176
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5280
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5480
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5604
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5824 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5368
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5952
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:5240
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5ffdde2ff6d910d155169b83683a37ee2
SHA1c11e9a9d1be87be23556a3708cb45f11fafbeaed
SHA256beebf528754b36f84ed3ec657d5891e3307f625d56ca36e5b0c7af98766b5955
SHA5125bd861c2d8242f566649451c4e1dad483fc22678d6781c2f19fa1d375cdcbcc2e1bf0faef722ae798c1337270fed582e90549ba745660eae8f671f7c69df560d
-
Filesize
789KB
MD5f908e3c4fc69b6a5a19fc77834cf7f4e
SHA16e5815dc606a3b272a39d23af775755360d7f453
SHA25696165baafa19b8e1a41db36e5fb0ca8eb8fd2a4a95542a818264d9cfbc1d57e1
SHA51200d334ff05be62bb3042408bcd136ae450a79086abc6a9df90e1371401f8024a99202d53a2cebea8062cdb21363c5f39f24eb60e736a48fe619767ee913bbe7f
-
Filesize
1.1MB
MD5646e30f7e0ec0f2b9ad6d95c1af77e88
SHA1e34a729a52debffff8abd93795ac68fd691a6a2c
SHA256b59210a31f51b8f7fe07549b945282eadf32711ca7b8906409a529b14ac7ed16
SHA512a1796ac483eca929916160d803752b7884971ee74d518e9412e0a84bdb3fd8fadbd7145f75ba10a72faaa2176d9b503c5d9bd9000ece7c676296a107c6175c10
-
Filesize
1.5MB
MD5de541ab7d700ad9d8e6c9d53ca03e456
SHA115c005fcf2d4fed35593c0b7c90aab24d95c91f4
SHA2566c71cf0627ee4dd77875d0041c36f85856c9ebac401d3b46e61d3451e8d31d2d
SHA5129b593f2f463ee49778f0546461c0b4df7a5ffe87716965f822d9bc7949c580855031d7a1a6be9025c291ccdf7f53e3bf00040fd09c33c88ba714f36afead8bf5
-
Filesize
1.2MB
MD5b126aa7c67bc94ca22ef9d09acd8cb89
SHA1cd5f262c23942a8d38255ac5dc40ea20c8a11b51
SHA256e8771fb9a1fedb52b3f5d783848b8f07cb9952dd2c0991c1d8cbdae24ec1425d
SHA512f509d5a060bfe67f401ad53c7830a67170c4c490cf4c59c2e2efc5beb1ff5ecc0109c9c9cb25fd84a310a869ff1a959c79569648485829eaf53d68a598c2dd76
-
Filesize
582KB
MD57d497feccb62be3deca753beefc94108
SHA1744fbb24b70ccaa44cd65447be219c4459cbf487
SHA2566d1ea6d1259936005bea1140ab5efe6f5a8892530a54ba46b5f53ed2d6896a6e
SHA512f01ce815a0a261cea191163fb1b07a38daca279a3ae7e7f2ff0604afcde4a0bb0f18df7fd06caac9b8b56810c8909ad509c1c4b17231ab7e27cad365a55f6a40
-
Filesize
840KB
MD5e87c1374f8788420d5a48a453754aa1e
SHA1615a00c0f6b718760fecd965a0887b4e428c534c
SHA25686a2d098b2812a5da18707e7cda71950b7fb88ea97df91c3e49b40a2d84c546d
SHA5121a99943bf88b8aa4323318d4c128f8e61eafd320434b09aada937802b32791ef534ba4bbce494b9ddbea651efe29289f49855eb1d955eb9511e5d19699960167
-
Filesize
4.6MB
MD5b43214f61e11b36337cad833a221c6c9
SHA131ba486125b8776c20d6204473468da8674657b8
SHA25662eb400f1a6f34b0926a543bb8ccb9ee30d5978483720d432da6f65c3b3a55d7
SHA5129f41a888fb2eeccbc41271b6e166b6b79de3e69eb4c441593bf8b2ab1ee83e30b18ac1b4a122fe3f5a22217fa880a473dd44321bd956b4e5a0af8a5d933efd11
-
Filesize
910KB
MD55251694f3c77c6f61c8c90ebb7a7f0ff
SHA12cc0d293d2a3e57981d29a07caf37df1835ba2af
SHA2563e0284768375899018e476cc3cdf600040a1f6539903ef27bf4fe4cdd13433b2
SHA512e1399eafd753e13c87779eb32b788e37f1254fa8a5b42c15f0995927a71b5b47f040a08080ed663784dd39d448edc2b9f8c112643457c2cb44aac5ff613509b3
-
Filesize
24.0MB
MD51807193ade8c2779b523a23229b344f5
SHA16af7b31a83a442bcc7d95fe1a6e924f3566bae3d
SHA25627f3b99e8ed18081cc28b9d3c14494add23b42acd13293ef0d0be09dfbe5fd4b
SHA5124a5c86201b3f279e34ab73668d3bdbf7e39d9aaa7a41078decea0018a52a5b144ee9a53d365551853b6574e72f99addf0a9c333c81eac0501499562c5a4ef536
-
Filesize
2.7MB
MD5011a6590d6f39b84fc934d3bf626ffbc
SHA1498a8af11d428cbf1726bd8ecf7bdf6166748baa
SHA256b73e08e1fd624431d04afa54a11ae9d7b8785e6a9ea52cbaa49bdd35c874aaa5
SHA51296fbc5d9a389dc6fe9d6a86484112f7059624cab91ba1ab21b27a75c54336d75caa737c2068427fda21607d2544d7ca2a4c4fed2e14a2e973d5995b0773c8792
-
Filesize
1.1MB
MD5aaacac733152ea1d38f74384537793ec
SHA1a3ab235ed999075d42eb155194ffc43071111192
SHA256f1e23c1e98f64fb7ca759473fa77bb868bfe30d81b50d56f9af2235140c2aa54
SHA512100b40af639c484b0e66d47f60173256a281d6cdf007b6042784320c6e1f78d963e8932a98ce490cc28f610d797f08d575504ad2f8002d46baef8fd030a2b00d
-
Filesize
805KB
MD54158ecbe1becfe8e307e72d6cd09a1fc
SHA1a0f23e4ccf4c928b79e09655364c8b58135bca80
SHA2564786d47e216ba1fe8c00397bc6e3d417a64d5604058419cb561feb6a2f6c9e7e
SHA512fec43dda9007ccaef1e3cfa0c73ffd0929c59be36e0ad39bc973bf19e1ae1a244efb43cf89c4fdee96f93abe8f3a8c6ff05b6d8ff6209b39613e7815d0b9482e
-
Filesize
656KB
MD5c8d2fbb244ee34d35e36db9b867b0e4b
SHA177ed1dc31704af6067d0d03de08e3221e3c54d0f
SHA256532698227289349de5406e759bd13b75d3c78c79d4043a00c1301a6158d68376
SHA512ff0b38c26fe6fd94494a7102f346b992d7550537a8cc5573622f30f6d0b505bb22200c99f63f745af654ef1a6bd30638048a4f506649e384c1828baf68f153e4
-
Filesize
40B
MD5268950ab73d1854104eeb4f6d4793128
SHA1757d3749ea559786c560d5b973561f2f997e50f6
SHA256c9abc4c8dec9b51d2ec8d156bddce7e9c6d71ba3fa70e9fa0dc3beb20d99a8b1
SHA51290884d54c91b90d1d9cea23ecea2cf0e3e78f6303c7106b0d1350132025d7b031a3dfef5445fc0ad71094993ed31f4de4c9194c9573b3fe4e1216294b847fa14
-
Filesize
4.6MB
MD5ea278ce84e609e7a40a99cabc11ad585
SHA117a6099ad45bfd759bff4585043770e84cd525d0
SHA2561b51a6560975ae7bee8bd9b2ddbf6d6cea4a9b62a0c4124e51844ad2321e62dc
SHA512b6d497e503c06a5f612ae556bc549cd5b10cb35f15932d3b1ddd721308054c12a8675477a7ec48f769c9c5d7dd0f103f891fdd19e7ea86512062a2c83a12568d
-
Filesize
1.9MB
MD5226ea9ab2c00f3b569d42ebcca212081
SHA175ab10853c27e44d1adaffdd37ad9847c8895047
SHA25698a68e64aa660a0950d0639f03aac122064bfa4e60dadb2d08099cbb51243a74
SHA51284c86e5f5b9c4a0d1305f6619b44bafed2ba02409b94d2ac2deb79a0d626ddd371e4d93f4bee6c7c77559bb8cf70623583114e74941a4778754a6e71b0679689
-
Filesize
2.1MB
MD56b69d3f0a81fa88bd0dfe0d7e9163442
SHA1e0e6867ded817f1f3382fb877703e137f4f60934
SHA256abc8b0f7d64e69f487ba165548fc5fff6e325cb7f89aa6ee27efa74637ad2dc3
SHA5121d3a0a419911d54b5d43e50d0958f2f9ca77634e303c48975b7e696a8b5fb8b6df638d237080782959a9de0a82fe3a2c71f49e6c2386183e08fb3c2f07740781
-
Filesize
1.8MB
MD533bef410c8dff756fe9efd68835eff57
SHA1db3911aceabceb7e99f519f882bcd0863d00ca64
SHA2565e979cd2748e2caefabba14eb5f0cc8eb3ea0f2ae6e0e31e7bf3901495f23e6d
SHA512f379ea03b8d550405f99cf7bca54282955d0bcc9e5b12d0d69b116847956f8ec37ab5e2312d4df92b45e9dc31c154bdd7d2e735048763f873e29a98b753c2845
-
Filesize
520B
MD5d7bdecbddac6262e516e22a4d6f24f0b
SHA11a633ee43641fa78fbe959d13fa18654fd4a90be
SHA256db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9
SHA5121e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1
-
Filesize
1.6MB
MD522b684fb8b4dbdd5c563cef42505aa20
SHA1ae4939a7645549bf25d017b4ea68e02836ed3e9c
SHA256b48df3389713eed5e9934be54e06a69a71b579a5ae87b75088f43d41ba001e42
SHA5124bb22eec5edd631945a7bee76de1ec0fe7ca582cfdd496a2883696bd5d76119ac978621cc2ff96f569059b563ec3ec74e8a8125268846a66868ceba56c03c215
-
Filesize
581KB
MD55d5ecd4c3e518416354ee7c0c3637aad
SHA162aedb6fe3145cf594014297983d5a1dadd826dc
SHA256dbe163ef7f4e3317b0039b18203f9c8088375cda21fd70d1516b4443d7335d4a
SHA512d208592902570f7eba0739144f75002c9b01e2cf79ed1b41089fd9cd38cf67e076ee6d3fb9808ffaeb22986cb8685a69054f7ad0e52801dfb88ebeccc7e5c120
-
Filesize
1.5MB
MD55a34973e6b6729db42673b40d74127a9
SHA19590d3fa82950f42592c58ed9b7b1973ee44afd2
SHA256d3e488bd15b33385c56bf3e77e9dfdabd180a3b1b5bf1d79e5321709d187156c
SHA512772cfeab750248a3862bfefbd5efdc4f6c5ce2471b80eb7bb87cca72fc05d216a16aadba1b2e8b2529ba465873a75fb31561dda78fbad18a5194b12b1ffcced2
-
Filesize
701KB
MD56d9507caaeb1bccf263c4589f44476be
SHA1e4ea559634c1c2b700bb99c71216bf374e50d827
SHA256cab2654eac038a3748b9e29e38933630620b1267f5cd10704684d51d08c34817
SHA512bf6fb065bad131ede78368d2579d17c60e53e8cc36497b5593994bd30812859aa0940d0311a90830f78f3ceebbc5db66da1b9dc886c44521c9f91a78910e6523
-
Filesize
40B
MD5980ebd34ef8cdfa9900dba4fe367d2f7
SHA135955645e6324fce99a971a5a80ecae0fc21d971
SHA256d5384308d29f2f9478f0d1354e9f94053300496f3b7cd2f88f5f8d00dbe1482e
SHA512470cce060f4dcca34b26c8c3b2d3d4024c12fb4631ed8251e942e7e992149a422f30526b27f9f55c13d5d9581f022d3b18439893c6b0455180ae70c0fb24430a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1d93ec0c-5ed8-4c3e-87b8-bfd8b4e09d42.tmp
Filesize649B
MD5d4f2b2abb6b761a94af66cdbaebf15cf
SHA1ec6442a1e7ee3cf397b08595ba9eb66a5e75253f
SHA256550c990e99f2e4013ce4d1cdfea7bd284a0ffb20ebf30493f7b48eadb60d9be7
SHA512bcc7a6d1f1222ba329a8d58f7de7085a4443ccb292127347db2c12d3a5b20a90fd65b4c92ad2748db237b3ebdae1a510eb46a026d91f60cf23b30c0e50f46128
-
Filesize
192KB
MD5a8cf54419129b874864cf206392ece0f
SHA12d8f78e5d6951faedba3257d5794227f34c50967
SHA256b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f
SHA51202a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c
-
Filesize
2KB
MD552e669e91d3e240ca7a2e4e395309762
SHA1d8431736659d82d82935a93293c1309953c803d3
SHA256623bf19fe9eb234e29831ebfe026dab093133be03ada88bf85a112d2c9d2e599
SHA5127293309101255836a14a29d54aa501f7ce435e15fc297de763e9e372ba21b0639731ae8b0efd76b446c8023362069783cb5aa90be5b388fe04775f5e60dd7bc9
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD52b41bee05a097fb1d44aa5a1c3a099a7
SHA190e18814ad331bcf87b5dd19498e551f9a106468
SHA256eb1ddbb759ca055cce664428c43a54d21c9ff754930ef26341ebeb3002872ae1
SHA512cc6cb8144bf0d5f9063c7c9f376d6414c5e76818acb4e9ce4c5eeef6320969b3dff21824c6f739708aba14dbaae13830b75ace0b74a5349eac491b5184c5d935
-
Filesize
8KB
MD56aec14b9d80a6a18a5f77c0826c1740f
SHA1dfd071b72692d63c99074c607e1b95a7fb31d769
SHA2566ca7a505615d6716b806e4aaf67124c086896459722073be746ae360b768c0f8
SHA512ce39c96fb154cd4056dbeea7d363dff1ecccc84f9d32b8f65278aec7649ea95caba665ab8e947a206f7938b8a621368fc35f93c4804f70805e9d66018563b337
-
Filesize
8KB
MD550d6d0caecf2c5b76ce2be1eb10c4c02
SHA15d4e093ddbbc88bccd0b1543bdc57680b7f5dd04
SHA256952abbfb3799a319e9eba520ebc61c2fac835dc2abdb0edc26a0e119dcbad575
SHA5121ba06231b3491aac8367259b7f7d16cec59b587877da84ff8dde18623c549b2da83d9a55c69a6c080e308d0f48734057e38482b3bd83afb086703c0fb70f2e61
-
Filesize
8KB
MD5de9bd00b5eb795767a9ac1fdcb9f6e3c
SHA1167e11f3fba366eaee459184e66eed078365a8e8
SHA2567f19d801dc4226468a0648d6f069522e60329279f15bf79eb4d363f0dda13267
SHA5129cd80ffb885ce44e3bc34cf945d895edb23db95df78154d1d1856655735a3ce809d91b22f333225effccc9ef84e8aafee5dc13a67a941745723daa2f52d47a90
-
Filesize
8KB
MD5934b10e7fc69ff2fa664de999e19cf07
SHA1c75f0a61d1a61f55efd04fe95e35db6970a51a3e
SHA256c0fa2ecdc8d6da43139110467fddd9e224649b6b0ec2e2e5d0f2e9973d8cc8ea
SHA5128e60bb8233099af9a79828167e286a7ffc46cf67091c01319f398f0d3ae0ed733701d912373f714fd5101b56aa119b3a7183e60f26680845c4b199b35aa91333
-
Filesize
8KB
MD5c3ac620803ef7a91eca6c54df018ed4a
SHA1387cfa8b2612f2c41ed1cd29ed613685a76976eb
SHA256d2ea0f363463da7bf441db0f4d00ce88e5934e9e21313a174ca7c7a635a4336d
SHA5126537a7b37fd221f512d6af7686547fc5da74a9a96d2010da1d6f34366b0a1040ce2da1efbbd95b6a3c7dd99fa73100efd2a5422b45fbe33f9a777f6ee6d3c96f
-
Filesize
8KB
MD59e15f0e725c9e685b3089ecd0c52874b
SHA135f3c4467f4fa40d9f261d5150bb41c2629f3439
SHA2569268757db927b79fd169bf4e8996331af000ad63572ab166b5694bbb6723ffa5
SHA512adc2ff83d73d4ad212d8b118ec4f9eab334a0ac81e6f47367d56c4de8d6274f421c6089692cb374dd9327bee7f7a776416804f0a238abb23a59fe6b9b2a8e664
-
Filesize
1KB
MD50d4b3eeb6b4343ffcc5a9aa997f52bf4
SHA128c9da82e5539ed572b6fec079b554fa8aec4ea1
SHA2566fdef3a9e405c12f661f27b154905fba6a07360e4637f2a26766121eea57461b
SHA5121067628201faab52f28d364cf83650f2368d9921c4459a8d388a863a15e15e850a9a61ec0d36158b9f4d590ce93bf8619a6ba2dda94786f6d6527fa824775aa2
-
Filesize
15KB
MD5d4ed2781d9d935a2a9f33e946360e39d
SHA16e3dde6e97596953ca5883a1fdb7489b886f86fc
SHA2562a6353d703b0317e2c3f337c3d8ebe8b1fbbf1d307cc48575622617db63432f9
SHA51244b3da4b8430e0fc32814214344d2fc2b233979c8ebaa9a8ce73f52cdf71802f00b2ad3950b35667d1307f1e09d6acb1821e7483e173a546dbbfe3025e0afcc3
-
Filesize
230KB
MD57060688eca838f7b3cd34fe724b687be
SHA199eea3943a1517bf74be38b212cfa509fb01f119
SHA25654ed4fbd22e74a0d5e271835ccadd47d4f702401bb8fcf79b4a6342ffa2f38f9
SHA512ae95cb40d6a7ab571d799e65381b8fa19a48d318d4ab5ef3d07afc8c1a95c3c3a52c10044d2b49e19746738b1cf2d70e1cd0fb4d337e5f28da82280548f27831
-
Filesize
230KB
MD5e894c283ad978233b0ac7ff1551a747b
SHA18b8e1102cd8113f28a64a5085fb54a9ff78ba593
SHA25611bfe5c45ba7d02815c81afaa3421ddca8bb9453ed39f04ca0d2139b83f7c421
SHA512d560ac97209b0c0be9b061014afbfd1624ebb5d468ff6446e9da0c3b0400f96840b92dc86e217a185004c93a4a31c3cddd2c03bb4669ad51fa61a6092d3b10fa
-
Filesize
7KB
MD5fd811e39389be378da5f4e0e94f4e633
SHA1b7b3fc6ebc0bd81b41bfe6c21230e62ba37b81fc
SHA25668b28c8a5c4c5adcbad0a35662812901b8656478ccb6caa297ed455a1c2e6a1b
SHA512923eb69fea6a8f796a088a41d8579653ef6de6468e0ac7a907976e8834433268a61ecc7e3fdbb413a6edb0e6b73998d762496f4c351418518163f992fa196251
-
Filesize
8KB
MD54f8a0a013846637c607579d5e476932b
SHA19dd432a8f5c537da2ec8446da5fb09ec9e30683e
SHA2567bae7ff0b37d40bbcc4a51e1486ffac4aa04c4666481512366c842b61a7d49b2
SHA5122ce804f7674753af467df4bf1bfe72d80220d77da851a11c9257b383e5b100028b13d678edfda4993eb91a40fe38defa5e7285034dbcbfbfc8bee8f0602c970b
-
Filesize
12KB
MD56b6fe1a084d8ee3eb78b1c333e9fcc16
SHA1d97457622f568e403a8934d485688165e649b2b4
SHA256e8693bf9c00c91bd764867a87b9d47130227a24cfcc1686f8fb95818eeda6332
SHA5123329953db6e91aaf3ee22a141a2fbb71a8814c40776a3e0e37622ef6fe5ff83a2fd0aca440a77fee1f9ef4caf3c1d167a62a34617a39e24b6b63bf9c56add5ea
-
Filesize
588KB
MD5a44439a26283b9a5b1a1b97dad218c15
SHA157227233baf82b02247d34194dd6b6e240749a8b
SHA256e87ef632d57f28ba886eb1c49534f108a2f9cd88a9a96bfaca67ddfb86dd7e0f
SHA512e123185140de0ec00bebc4c7c3640f9e066b9f57a12c091b8669dcaa6d2aabb6b50ec74ba7427381e521c759f0dbe28d721e9e7c1a24965f40f31b51693dabe0
-
Filesize
1.7MB
MD51eee3521726b6680d1e395729a5ad400
SHA1f0f6304e1e6f9c15b37c8d0c987ce23b9071f556
SHA256d96d5625504dadb990db5084368cd463f0f4605af659d4873a31a2f7fd7991de
SHA5127c08dc7909537614f7233d7cc16241b9540da95ca8af7dd2a33d55c465a3512cf2b6f0206d63c732c8ba9adc3d6ad2a6010555a611b405c13b039c4f13213978
-
Filesize
659KB
MD52ee2281c1c05cbe162745f7014a6ce32
SHA18f304afd39934240b108600323d584a3db6232cf
SHA256fe83def7ee783f443f96c6823d53b92a564513219f6b84b9bb3746cd865fd254
SHA51235798bff1aac00f53416abd8b18597fc2d8c6a92fe556f15b1626ead78aa334770d1d030876759f2ad9dda1e54f9c061f2b273a0f1f77c52a13169806b9e6afa
-
Filesize
1.2MB
MD52c8e0729e0092c87a46957838878a0f7
SHA132cde4f2ce48404e2367f3674a59617ea82b815d
SHA2569d6938a9003edef828a976f5e5d1526cb00845331915fc4a19842a0ded351b03
SHA51213d0d4af6adb788a0f468f2bbd373b8631d7e10e1922197eef52a4b42113f11833cf94d69b8eb6cbe858b79ac2970f7d2610ac5f5768275f2bb829f7d8feba10
-
Filesize
578KB
MD597b835499ecbc55479b714ab21ba9b84
SHA12adbf04afaa9827f815fb4573185b9827091c578
SHA256083333e12e19313938acf961669b517755653a8850a5d3706563f211dfe7c9c3
SHA512cd5041e65f6f5feed79cfadb12a0378634430b7fd91c2b57ebbe78bafbb711f096130e544e5f53262d7908cd169c9906be53d2339aaa509f5004737c7f0b42c3
-
Filesize
940KB
MD504e91bb0d6fda2511b865b01fea0dbf5
SHA18a380505898a7a257f2f3c627168a60ecc97c0a5
SHA25673927073974099e607bf4ad1da46f134dbdd2362de969f1738adda9f4af2ec3c
SHA51258ba71d70e2e454a32c45d348b24b2e7c9479beb327f142dfc88e99f3c327a9887e1ab35587c4ab863869ced45c8ab52dfa534a4d302a4ecba0e564d4b8b9200
-
Filesize
671KB
MD5db4f200cf13eb33f1c8dcd470919f9a5
SHA175e2821da21bf366696c5a8f3e7c1c6fb51feba1
SHA256204f6beded02994e47bbcfa534a9c95209246c3ad528652ddd53e4f580aa9b2f
SHA512e3f31d2ef10df14565c1f2ac6eaf9f602fe6f3c23c7ffe4c0377dccb35b2df81603eb58039f464f21b174ba8891220e2b2784364a9675d6a9f68a81388d672c3
-
Filesize
1.4MB
MD5baa77f5858eb39b43cf88fe67d67ac23
SHA194abd8569e2415cbb743fc3faff735b8735d4a36
SHA2560d80a810eb37ceb3bfda333bfb7aa5fb29c4dca0d00f265a83cdbd668778ee15
SHA512be16a03c9582fa371436779efab0184e09a7aa58bb4c71c3459726d221d31cdddc8eb22268b7e0d3a4fddf73d4bae408e8459cf2594820a02e10fab068c0ff9d
-
Filesize
1.8MB
MD5de092c89f241f7afb7d42da30c92c21a
SHA1399b591acde4801e1cf478404dcd29addc5777db
SHA256fd0b040cad094dc450f552f28720238cea42d7c3fafd591577688a6cf232e855
SHA5122cb1bf095fff96ced136fdba4d723db7725096ab354352eda4200a1b875c7c5572e15a31a9abb0a14b06c67521b53cf2bbcb9ca5613be45b854b3a29ebfb8766
-
Filesize
1.4MB
MD52897f95495905fed166b8525b4c12b9f
SHA10b540b36d24e62817bc67e8d9495e222e65fac54
SHA25624331846a8753189405050a96d359551b45c3c31e5c97fd39be79535e5912b2c
SHA512dac7122d1f8dbb2bcdddcaaf9942f4f82795426335e0e9afb9081a93624c5ea83fe8ffe1b2ff9bc65253d49e7f3b9e4ee5fbff0edb4b64b0f389bcbb7aa35e34
-
Filesize
885KB
MD586382f3c22e034e558a2eef2783cfa2f
SHA15f503250414c2c5b3c4004af8a99022b8d20981a
SHA25646b9d701ac547ab7783409eeb05b5be2dcfedf40864e6a5257e36f5019e0bca7
SHA5129b1c16e6f766a018c225063e6a98922c6ae3cc345ed94bf5cd31c3258fceb7b9511d7f7532d05043989580aca1f85c5506a2b2a944d0c0925a99ef99ebb28654
-
Filesize
2.0MB
MD5b788b472e27323fb8aba5b5030ab561d
SHA11e0193806621689cbda0abb8bc44a71502000115
SHA25632e578545e0143b72adeee3b9bb06b079b2b2f9e3912ba6d2197b2c84695b3ff
SHA51295902f3d67ad10c20baa530c8900a4a1c4e51314f99701a44159abacea51f5ce13f0b0e331a7fffd2b4e0dadfd8a2b7d2cb2bfe6d208c7ff2d15cad1fad2a8b0
-
Filesize
661KB
MD59016e9c12e1b2515192a4678cd552b65
SHA1a509afa06e1f7a3db78300c45a2f7f8e3dd0a7c3
SHA256f9edae6524483798574ce2e4b60975d0ae9892aabde51c8083fe17344730c197
SHA51224fcc53d9f7b892f6e483d3c860c1d63de7fb7c0dfb6b920c40d1406260212a15503387b45d8f043d4a70a5774d3f19ad05b6b9e2bd2d0b3562ffc67da0410b2
-
Filesize
712KB
MD57dd128a18744fa4031868994434c8a9f
SHA1e13f00a88e137b4927dd43174c1710a44ccd9044
SHA256a1f14acb4531fb31c452d1d387dedb1468dbb7ee80447e2b78cadbf613f725d4
SHA512a5b610946a956706b945ab6c2a47f5061b350220044c0e0e2637d01fb331dcd873af80b8eee0d21b7dbf2f0626bbef08284833f9a0533ca7096a7299ec0faa37
-
Filesize
584KB
MD576e66ad5656bb42db70261b82999a4c4
SHA198a6180efe968d29e3bc50ee09ac9ee6ebf68333
SHA256d38276d60b03e76e6b21926d8424d94f581f6f159917a61500034a8371684cf3
SHA51280a7f2c6c71d09081e9e8533c8c344c4bcd8c8051d016a213f7673e14cb23c88495b8f895f0efe630acd91069fe359d8510b23cf94fc3f7ce5c70bac73ad702c
-
Filesize
1.3MB
MD53ab71fe305192b567394aae24e173348
SHA1acc1fc8d13d25fcbc6d3c5045231d33bdfd130ca
SHA2562d528b8dddc76083a183542149cca2f5a08b7e71477a1fdd7676444d3366af2e
SHA512c4b3e3097c1904d47ab8fa100f10c925cb88aa181d46b9b73977626fa04ff2a6e483e6960692e3c9aef8c49b4372409827a7724ac4a54ac6001bcdea310e5615
-
Filesize
772KB
MD5ffb8e2c80fb783b53255b037a3f380ef
SHA1c24a0c6c7ef0e990a6fdb20dde30754abba6cc5f
SHA256255e9d8b8f1c277d47bf08cc0671287458150c395d23dc6eaf8b2e82659b7234
SHA5125487bd789b5cb25e2842038cfaa5f2fce89e973c405a46dd257a7e3b1ab29fcc94462c1510aef51b0c36f59f741b6cda7bb3dba5b8d8132e96886d45e96898e4
-
Filesize
2.1MB
MD59116f8e7c70d22f388c8440cce67a81e
SHA1b3f52a6eb843fc141c7b2723165befb4f7cc32fb
SHA256de3ee5fe618b835bdcf82c9cfe886b2637546cc441693d1d9b566b57096f8146
SHA512b2e8678a939c35089e6ac933e4204a3e65c30e39bf59c67cef3845f47f067cfcf285ee4880b3673759c3018ea1afb40b38ade90886e61c06a70eb774c3a819a2
-
Filesize
1.3MB
MD56fb23646adfab92cc62377fec6b9b9f3
SHA1eb1ea63b8ad9dd15efa706f6e4f7a4d07f83d149
SHA25637d391d719fce6804b15e4733514d9ef3e9c83f8be09d06590efa5bec0354616
SHA512dac924a01be133fb0f104cf157caf453506dfc5b38cc6be68e635274b4a147ee859d51732b5d51edaa94b89cd098b01d7fbea065ec4963ee03fecdcf4e623207
-
Filesize
877KB
MD51b36f029e66ab7c367ec666832f2fac2
SHA10e33b8a9da4cf0aa20225a1d3c85d25d16f106f2
SHA2565c480706d735cfe435901b2e8ba79a9f7aef24aac94bf28cbf52e7655d066f4c
SHA512f1486920c75e93cc501af5e426d4fcceed6ef140e3db7a319c5de7e400c18bd4bda68bd344e64a7f44c4a1d4770cd27f7961e5313205e34122ccb1c827d7014a
-
Filesize
635KB
MD584321c48d91aa33276c5139706f61e78
SHA170763a07e6f0e38de9491470fd9f20fecf542a90
SHA2564d3de470849ec4ac83cf67e8049deacf14c7c95438265e6505c9150eaf2d9c3c
SHA51236b61864dd936573f08ce4428863f1738895dfa8fffe4c62d6a9ee6ef2a30cef4b39c72ae907a6090fe1522d10c29f41b7fc5975a07b55bccb1d3d0f01fbbc8c