Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 11:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe
-
Size
5.5MB
-
MD5
205a43fd811544c905363c9968c9d2b1
-
SHA1
1b227c03b0bc3718f165f4552034724ffccfe1fa
-
SHA256
e0f3a162c7e98924dca05dbcef50c4448159a74366fdc046b6a76c53b2e4ad52
-
SHA512
40e380a868e613b0800a0f999ae5885a898bd980e9cad240c7b2bb855786778024cd4befb3b723ed4c40eb443c19d965fddbdd9cb98bccee7570aa6c357b6de2
-
SSDEEP
49152:EEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfM:iAI5pAdVJn9tbnR1VgBVmFE3Xc
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1328 alg.exe 4416 DiagnosticsHub.StandardCollector.Service.exe 3092 fxssvc.exe 5040 elevation_service.exe 4740 elevation_service.exe 4188 maintenanceservice.exe 1196 msdtc.exe 2236 OSE.EXE 4420 PerceptionSimulationService.exe 4140 perfhost.exe 1840 locator.exe 3852 SensorDataService.exe 3920 snmptrap.exe 2504 spectrum.exe 3068 ssh-agent.exe 3084 TieringEngineService.exe 5128 AgentService.exe 5240 vds.exe 5336 vssvc.exe 5448 wbengine.exe 5564 WmiApSrv.exe 5668 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\608ccf78ed1090.bin alg.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002236b143bc85da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008783de43bc85da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c7878143bc85da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b73c3543bc85da01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 4796 chrome.exe 4796 chrome.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 2836 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 804 chrome.exe 804 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4980 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe Token: SeAuditPrivilege 3092 fxssvc.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeRestorePrivilege 3084 TieringEngineService.exe Token: SeManageVolumePrivilege 3084 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5128 AgentService.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeBackupPrivilege 5336 vssvc.exe Token: SeRestorePrivilege 5336 vssvc.exe Token: SeAuditPrivilege 5336 vssvc.exe Token: SeBackupPrivilege 5448 wbengine.exe Token: SeRestorePrivilege 5448 wbengine.exe Token: SeSecurityPrivilege 5448 wbengine.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: 33 5668 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5668 SearchIndexer.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4980 wrote to memory of 2836 4980 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 85 PID 4980 wrote to memory of 2836 4980 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 85 PID 4980 wrote to memory of 4796 4980 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 87 PID 4980 wrote to memory of 4796 4980 2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe 87 PID 4796 wrote to memory of 2092 4796 chrome.exe 88 PID 4796 wrote to memory of 2092 4796 chrome.exe 88 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 4988 4796 chrome.exe 95 PID 4796 wrote to memory of 3380 4796 chrome.exe 96 PID 4796 wrote to memory of 3380 4796 chrome.exe 96 PID 4796 wrote to memory of 1836 4796 chrome.exe 97 PID 4796 wrote to memory of 1836 4796 chrome.exe 97 PID 4796 wrote to memory of 1836 4796 chrome.exe 97 PID 4796 wrote to memory of 1836 4796 chrome.exe 97 PID 4796 wrote to memory of 1836 4796 chrome.exe 97 PID 4796 wrote to memory of 1836 4796 chrome.exe 97 PID 4796 wrote to memory of 1836 4796 chrome.exe 97 PID 4796 wrote to memory of 1836 4796 chrome.exe 97 PID 4796 wrote to memory of 1836 4796 chrome.exe 97 PID 4796 wrote to memory of 1836 4796 chrome.exe 97 PID 4796 wrote to memory of 1836 4796 chrome.exe 97 PID 4796 wrote to memory of 1836 4796 chrome.exe 97 PID 4796 wrote to memory of 1836 4796 chrome.exe 97 PID 4796 wrote to memory of 1836 4796 chrome.exe 97 PID 4796 wrote to memory of 1836 4796 chrome.exe 97 PID 4796 wrote to memory of 1836 4796 chrome.exe 97 PID 4796 wrote to memory of 1836 4796 chrome.exe 97 PID 4796 wrote to memory of 1836 4796 chrome.exe 97 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e0,0x2e4,0x2f0,0x2ec,0x2f4,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed3db9758,0x7ffed3db9768,0x7ffed3db97783⤵PID:2092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1884,i,7242747935253715489,2571849748467892590,131072 /prefetch:23⤵PID:4988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1884,i,7242747935253715489,2571849748467892590,131072 /prefetch:83⤵PID:3380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1884,i,7242747935253715489,2571849748467892590,131072 /prefetch:83⤵PID:1836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2932 --field-trial-handle=1884,i,7242747935253715489,2571849748467892590,131072 /prefetch:13⤵PID:2192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1884,i,7242747935253715489,2571849748467892590,131072 /prefetch:13⤵PID:1488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4580 --field-trial-handle=1884,i,7242747935253715489,2571849748467892590,131072 /prefetch:13⤵PID:5080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1884,i,7242747935253715489,2571849748467892590,131072 /prefetch:83⤵PID:876
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:552
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff73dbf7688,0x7ff73dbf7698,0x7ff73dbf76a84⤵PID:1240
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵PID:4776
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff73dbf7688,0x7ff73dbf7698,0x7ff73dbf76a85⤵PID:2864
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5188 --field-trial-handle=1884,i,7242747935253715489,2571849748467892590,131072 /prefetch:83⤵PID:976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 --field-trial-handle=1884,i,7242747935253715489,2571849748467892590,131072 /prefetch:83⤵PID:4412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4928 --field-trial-handle=1884,i,7242747935253715489,2571849748467892590,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:804
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1328
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4416
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4448
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3092
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5040
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4740
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4188
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1196
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2236
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4420
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4140
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1840
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3852
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3920
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2504
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3068
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3148
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3084
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5128
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5240
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5336
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5448
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5564
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5668 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5296
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:5828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD50906617be86aa7ce0bd610ab7e0b4df3
SHA10891f64b74d1ae8d51f05a15f5e3175663dca1cf
SHA2568b83f8c8fb30350c36be75ebfffc3518c519fe9391fde6383074ab2459b54966
SHA51237876fbc04dbb9b876cf8fea7d3882191dd1de5cf204161a11d5ec592bd8d8caf6c0b8344579d47955b3d161d55fe4fdabab6dec26742a219e28beeed012ee87
-
Filesize
1.6MB
MD5e9774f8380a95dac02b25862acbeab20
SHA1d6f7b6dea75fe251d27dc678c49c462779b2c194
SHA256e0ecdfa636f40d3ac3a49ea5454aeec4e5f4ec1247f6cafd428368d477b5178b
SHA5120cc9219577ec66dce35b5a2128a10cdc9bc797085e0e6ae12f6eda979714023c54a9a509f3248e17922ac9bbae7e5032df826e71a04a81c8237d31a57fca7500
-
Filesize
1.9MB
MD585cb225b9039736b8cf57826ca7b8d98
SHA1388246d05c284e2a1ad693fd14a043aa76a42647
SHA25671aa6f8a6240359cb2dab2b6a87b2b5e95931ed4279f75439838c2469580cc69
SHA51217c523e2d67a118fb2eae0cfb0f33f4f816fcb89f82dcddc1c6cfd322b989f6cfe1f19fdd7fe3f9fdb4904b88c8e38a8e911a253aae06961a09f5833d43b88cb
-
Filesize
1.5MB
MD5825e286cf0b3830dbc36722404ed4627
SHA1a3f59baed8bf71cd4ff2fa6345546c4aa4c809ba
SHA2561293ffcacd9302a8ad636c830a55c023e9833ecdb60c8e364c820ded04ab8bad
SHA51225ed4d96d22f25ab032087b2a744dd3006a640e5a14983548e503396ca7e8c08a00d5b7ff23b97ad1b8d1c2db903228584e2eb0f79acdf887ddd8094006e8f1e
-
Filesize
1.2MB
MD5eb33c758ec6b1eb86cbc9aa0b464b2dd
SHA107349dfce55cc487a6d0f55a4991f87081dbdaeb
SHA2565ef0db978f78e67727338f8a4c366f7f8fb078b67869154a703db70b3f8dede9
SHA5124c71373139a64cbdb2b292b647667d466950f723d59fdff65342ab5afa90df2bd8097046a67d9c2efaf348bd39036311f9c2290beee1e3a6fafba61297844518
-
Filesize
1.4MB
MD565f0bc2be1d4120c1b008f0957906c24
SHA1ac67cc0fa6ecb0f2eb8a2d32427546fdfada75c7
SHA2568938cf26d40afc2e61e1dcdf5e777f9330919c2b7349be2a0c7c5727681fe726
SHA512b9a77c9c3561e39f654874ea8c4e6105e2e39dd5376029f96fc7b3106dceccee9cdf5ff7af2681e6a342a197049f1aa5c635f3d8503a320291b140ad25a9c934
-
Filesize
1.6MB
MD5ea2ed75422eb177303a09674afdaa0b4
SHA1dabd2a413ed1e1337a07f63dfc6b485d0fc172b3
SHA256c88c60a18a65afd1051bc9adf7e428289cca9ee0c697b90e3deb489e6a49a828
SHA512050a380d61ef5dc5a661318d7321343194271b3783ac6ec6583b2274c8d0b3112f5d353aeeeb28235b468eb0b352caf3922b1fea2ed3569287356fc24c9a8812
-
Filesize
4.6MB
MD541f5798aa501eaeb7f010b7dea7e52bd
SHA135076fd9b10b8659b3522222fdf6d3eb494ff4d8
SHA256e1a9b80d8328d0e446814d3bc21a87810b6178772ddcbbeb9b6036c60e735b74
SHA5123981dd1af8e35e4ae90fa7cc09f490cc87a566b3ea338ad84d7ee330e1f39b0f4b607255e40b6372a8325bce873e4cfadbb296597e8d3a3e13d27a1d85666eb7
-
Filesize
1.7MB
MD563f478265c599f120326bfb9907ec57f
SHA115c5060c6c60ffe0f0229eaf5865013d561b417a
SHA2567ccfb3568d407f3883c57bb877ff4759649c575e1157c6ad8a08a24ddfc274bf
SHA512fa40c806f7765dc9f72ae63f7e967af9bdd8fae55870fdb5d9c3affc2c3708b87317a46050fa5df85d97e4c99c9a32f51d6614a5dcedfbbb55ce7dd95108a0e3
-
Filesize
24.0MB
MD5d9c276fe126acf201b401f903ab43bb4
SHA1482ce8dbb7d6082e22ff26bcef05e3ac894aef42
SHA256eb25d81f1ed0c4dd0bb7b2a1a167bdd8168f1a485e5410471667d41b5d042aae
SHA51234feb73ce512cf0effef48b9e62e1c0ad9f043e77118029e4e3dde333e9f27ebf1116197dfcc0c714c9c3ae6c7e704367db0d2b15d0df5c0c1ad6747957860f4
-
Filesize
2.7MB
MD5ce0136868c582f1063e54ceb798a5a86
SHA1f3dac5fb8d96c22dae1985589cc412bdfade00a9
SHA25661df12dab2f21e547cc451c392fea691e5bfc642bd6f5d0d28c1cd876ef421ae
SHA512a11a8079cbf7e53357db1b3cf30fdab6d4a046694cbf6a1c56d98c744edfbde33d183a5bb2908be6e58e549df47673551db7f74a3583bba9bfff8947258e063c
-
Filesize
1.1MB
MD52276a81cb4528bfd393ca9db8d032ae2
SHA1a957328d9a478ef1069a67605658e27cb2ef2261
SHA256e357227e734a2f416c78c5951c6ea52094e31cd9ac99a958a3cc9266cebffe84
SHA5129052df03bcb4f57477b1f0e0b1b2feb270b6c457042832bf0cad71d614cbc5550b5e80af6d8b393a2c8fb347b8e2f46565551565ce9e96cd21ef7484baba4cd9
-
Filesize
1.6MB
MD5e8b863b6f0f50d1773535b050a4e3c9d
SHA1a1c42628f77932412b85bf3321ce3ae2f00e4dbb
SHA256f54458a85c6bdd02f82a9a71c43fa99b0f242b257c7c916fa9270b9f2763d817
SHA512def55e6199ece7e23c068ec3fc59564a49303dcffbf940b0c30d9f77b6e17f4252c639eb0761d39a3584a9263181bb3d7b11a4ffd87a6271686c1e3ea17d39cd
-
Filesize
1.5MB
MD58f49463bc9ebeefc78058e4a0d3f6f67
SHA1003970b7e434aa4c510071fa4862fbb1483e53d0
SHA25623845841781b6030ad184da2eebe9b26cc4e504fefa8c190e6ed6dd75f66df36
SHA51290c685bf1f97f75913c62eedfe62f9c2308c78623bb6492ffa6438279db32c428204e2fa29b6f940930ac287a001ff2585c1114a866ebbae9123380fa91b44a4
-
Filesize
4.8MB
MD5bc425cdb3b6798c6d4ad9fdb0db41a67
SHA1523b5ae7c98ffb619d7dce0dae7aa7a592cb88fa
SHA256fe5ddb2f2094d5be0b5ee9ae4fef3e0eec04af416d63b5e8eac9d239bef6e988
SHA512066446d77e5941cb85710f869b0c44190ae8a64a5b798dfe84f096487ed49c305fd4786ffacafa27987ba030be269c503442a833a5a892aeab8623d6086624ec
-
Filesize
2.2MB
MD5e9892fc51a1abc7909516bf9b6b0fbf7
SHA1357724fce196ac8b0fd0234bf0ee585194491487
SHA2565aa417ce508972e5cdc61c9b6e7e51b7462228bf01f0bbf1f5b0583cb2398172
SHA512dfa7e6008b69feb3a3c65b994e3eb3bcf1f6d38efa91b870788e94c54f178b7a47daa8d87a7bd8b6b8b9845ebde67fcda5c3a47812e2cabc39442d37c7ce4756
-
Filesize
2.1MB
MD5fa13a2fb78cd5551fc76835dd204ff39
SHA187bf4d2a89b08d5f2e1105a0e8793ad8544e7abd
SHA25616feaa1d6020c5aa847b3c17850ee73f9830dc84b18f21fc09c60e4dfe8d95bd
SHA512a8536700696092233989d3cc448c7c5883da3ffb4985cd0cf936d80c5012c822571a701db2d87e25b501d42582b81b528a4023672542e85105358ca5958f46af
-
Filesize
1.8MB
MD5bea2f57e5bce41510d3a96828096c3f5
SHA1548e48181bde79b274843f6ad7c44d66f2366a99
SHA256ce585f198cf64d0f35ed24a42c4b2b0b15662cb4e174a499e0f1f3b377b89c0a
SHA512191cc71a57d8c299fe75845816d67c1a89e67d6c5217ab09813623003f308b60fb6ee1b3f73a5c834f99f97535810f7c53a6314080f49655580c21229a970451
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD5759c4295a33b8bba227ec4d7dddcf35b
SHA122bdc89f9f3fb1ac2af7f79a5e0321b414254b8f
SHA256c44ccd3ca02c23bbfee1736a8f5bafb1a788ff7b35139a0c7fe431f8dbcbe956
SHA512e2c54eeed71a1b9618f89158dfa009833840a95b7bc9d1b63915fc0b43bbfcef6190fdae6dd131503500ab90715c99032c1f002b55437db81bad18f7737b84e8
-
Filesize
1.5MB
MD5f07f2ebdbf7b3c74b4ad78a6f14480e9
SHA1bddffa77fa0b5d2d21c84ef6d12bf233aec2dbd9
SHA2567a81daa97006289bb86d1805a9572057cadd03b180b976e0edda0bb38c0c9793
SHA5123740c3b562f8cdb9be7eeead7c5ecd2486a9ed6014bccc547ca683d29b1c11a00b46561f1c1c5516741d7f59e6b7dd476d21480adc76f5a049917cb39dd22239
-
Filesize
1.5MB
MD5b53ead035436cea1e54d5197f80f3243
SHA16793f5b50a4aa4306ab943694b8adbb13f595653
SHA256179e01a0a6b21df5154829c20c1237ee161a9bebe1f3bba2c6b1b7f05b54d1d6
SHA512ab2e0b4a6cf4c7d3797a6378d9b3de8f3655fb737e56afa45f587c2895f71ed2e431a7dd933fa5f60092b27784610370129de613eb6701dbf54f2dbc3a6af8f0
-
Filesize
40B
MD5bc16ebe41a9fc2938c4060992a92b0af
SHA11719af3e339b187d984a76437eb80cae5dc50e6f
SHA2565874dbe9583546eb24cfb2b237d58f97ef186cd72866dd224df82e62817744ae
SHA512c78d4be86a3f35ae07375b37fd39f869d317a6ec6699d7673731e6f9b255d7bcbfacf58ca71c3f51baac1e2b2bbee7da58603efa5bd51a31162c481aab7a912c
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD5b2878632b4b66c5d3b2e7c0bfddce316
SHA19e80ab4a4e0741971749d7a32dccd9e865570385
SHA2564a006b42cb5e94af25c5044f2f9e75daf736728bae3a79f297ff0166c1dd053a
SHA5124541fd02d099b21f0e422335f40c5f0c9c0933c749c6871c11ecd7bbb9a0fc2ae910a6dd86f69d6e6c58c759870029b7a46a3daac91d86fdf4c5aced7c6a0a4f
-
Filesize
371B
MD58b6197380bf7ad42b71f037c97bba243
SHA1f2d66f05566dd629a481346ec6b1536b09ebb52a
SHA256e277f81aa2b6582ad922767f7d9ac71ba358f97f36efa21fd9a2e18eb36d26dd
SHA512cc5512b82d14406ed46f45781412cefc7acae8b22aed1674789aba84b91d522ff831985c84961a701885bd81b14ce5bcb8cdb9436a10b22df8337eb060d676b6
-
Filesize
5KB
MD59c85cac8569d54aff003ab148e269b1c
SHA1d21f60928fe8d084e8baa59934d15260731a6d60
SHA256106b7b50719d704f882630cb411b80eaabd15f3940247ce5b265c08003e8e62d
SHA51230c25e13b8200936f3c16cc961ae58747aa49f5b740e4a593b077dae16e240ae77c522ef8c71bee0838eb9e669d113602ea11cadf2bb7b29d321f50517200dfc
-
Filesize
4KB
MD5fa5304f9d36e911b138590ea9b86b670
SHA19c0972704ec86bb03b57b149fe798cbcd1ce9059
SHA2565cce0ddbd567337b172b36f63e9af4f6f9eb7c620d8ef1e3d00d9c378a0d3c2a
SHA5127fb556a2b68730c674f8d922cce9a1e0b711a2980202783a3677cc341a25d8d3ce0e256c328cb46c89c981e89bc8efac83f56f25891a54ee2a347f425cc7e631
-
Filesize
4KB
MD5e48108c7dee0b2d034529dc0b50ed93d
SHA1f690357d19fb148483009bc456ccbbdee96d4de8
SHA256f7243301c3fddca22bf574ed885201e1274e56305c6f66ec1ee31a9a579ed1aa
SHA512c831a533f996d03d25863525ace922b1baa95132c5c578c743bb634b9ce0ae64c3d9ce11c15f21489d49f70c540d9f299be2e692b03b37b9965e89dd21b9073f
-
Filesize
2KB
MD53edecd18ee6edb84a0c5cc2869b57cd2
SHA1e291fe43a956ab29cd103e3cf39aec8a516938a2
SHA25674396febec16fd8df1e991beca98541a5417c26fbc44246bd978e98ea81dc3b6
SHA51230815ff00dbcef7d4b474b51c78c9d9be8ef9145e4dd6fcd8d89076a59e79c01441c62e761a91e13f9b2c03399badffb5717023fb70f6106a6ecbc943a3a576a
-
Filesize
15KB
MD529841d04494ff1d9fa9a94b943c7cf16
SHA189e34349a2c82e498280b30ee376e7b8430d8feb
SHA256f932791a735dc7107be209dd24719c4850971660f88a1d544c96c9436a5733bd
SHA512880ce898fcb291076b1722784283df30f4068de18388ca7e1e8b0984e4335516d1198539e0f269786ef5150117812971bc978cf5be3a86c6d87de43a7dbbf4eb
-
Filesize
246KB
MD5675adb34e4c51adb10edd0bfab608aba
SHA1e676e2e02f5f28e295f494c91e26b5011d094052
SHA25600aa3220349a75f28ffe538337557e66199688e1c37a6fbe4746d7a79c94c13d
SHA51209c27ad92e0fb107b6e090e34ff66c3f7e284a4ed946e608122545cd598e876bc9331771ba0529b2a3b9a90e0ce0ab8f3045c37bec816dbf5a50a377b79ce4af
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
7KB
MD5cc91a3b7a634cf5b75f1874e072ce890
SHA1f840df6f29ab43f33a8f4f55540e0b945ce5c53c
SHA25689632ccc6b3ce82201301782a1d9b3f8520b73c85fd07460eb68c6dee0249eb8
SHA51210a0df71fe12d86f5443c892690be168c16e300f8fed1476b0140a5af347239e7f76a6c90673207c2222c5f8e5505f9c10000a756e205c83653c11dae8e1b35c
-
Filesize
8KB
MD591007f9dde9208b06c5d152933f46ed1
SHA1ad4cb1f544bb700afd31b1eb3028e9d09753e905
SHA256c6abb7eeaf19dd4264336aa000ab93d90955143fe1ea8971a9b2cef51f9cd092
SHA5128cca009a682312287ed17b8b57bd7d1c13cd16807db55a94b12350be6e14ef71fe655cb41a8dd76bed53d850e0a423e95a8991cb3fcedc42c7b4d58c8f9e7dae
-
Filesize
12KB
MD58830e8670e136132ed3bd6b67d5a05e5
SHA153704194686108be755d8abf7c737c0063d0ecd4
SHA2561a655a07289101a280203a1b370049f57738f3c74d57b8ce8f67c3db59a9ebb8
SHA512c8f68a483943b851e995efd7257b5296bb09ba302cc9aee965324489fd38c8b0124dcec24165b1f8fe78d6236b5985210d5e54256dd1f2fb448b2fd5ff9f8158
-
Filesize
1.4MB
MD504bdaad0566553893cf7bb2f0b737364
SHA1da807b70683e14210f00481669617488025f59ee
SHA256ae2629fad4e495eb96abcf4a1a01de96ac732bf3b5482a5200a3ab996940c479
SHA5122c3d526f5a60fe269043439aaf43498d050e84efd14d1a3c49120bed8017af10e769d71ff80d2a4406645ce09fd0760325ac122ae72bdb152876f72e1fa183a9
-
Filesize
1.7MB
MD500e597d5fc889eb1afee456d324215b9
SHA1fae64533dad5c959ed6dc27e03c963d689f44fbc
SHA256519620046fb802928393c5ad1edf7ef2de8332ad14d3eadccb95df53bb0db730
SHA5126d9ea8e0167cb26671908718f7d8e26692a6dcd6c5066f5a8bb164038d12470c746aaf7133d2c8c7070ac177ab2c9210a2f81a27b44fc8e53572f4c3886b766f
-
Filesize
1.5MB
MD55167c78295dd8bd50ab55954fd4cb41d
SHA157ba1e7c955b24c3f3288e1be9488bc374ccb648
SHA256d083f7b3f485b8d8c5064e8062b56a6e21014f6980fda865ebc8c00d26ad94a0
SHA5124934b08b40eab572c0246327ab8faedde8c7f257a81d0b8b5b265d083e8d35a064c703b2423f4b0c1c7c8aaa02ca75def44bd3f5fb484d9fede78dd8246e4aad
-
Filesize
1.2MB
MD5dea614727eb7033afefe2279eb92e377
SHA10d10f6ed33eaadb308ab221f732651858f2f583f
SHA256f745d017b67aab6c4f8efc0f5cf302e42ed867060c7962acc6f7c359e109e8f3
SHA512ea5f896248d844227422bc22bbaa685e18c19b8ddcae6845ac3e3f9b71bedfb96c380c874316373498b406264ba099206657ee3a0b0c990c8ff93d881a3a0093
-
Filesize
1.4MB
MD52bfbab73e6be0b7f1a02a945b7a77c58
SHA186148a88b72c2c3776543df9c506fce2a5fa96e9
SHA256dad455bbc25fae1a46827a3d1b74cd19ace06ef8f4e0799ad505aca60443ce52
SHA51255d65bbe2cf4cdcd7146058a2467958f81fa1c28ab11cdab590242cbbde01709d7d6c4656ffa44fa1e08bc636e535634e376ca825f687f801ce9e46d81c63c56
-
Filesize
1.7MB
MD585b0679671fa77f98e2bc6ec39dc0cda
SHA1c22ffee389f4f7443f657b507c0dbf795dc835c5
SHA2562fb43613cedca51e8ed5c4491479fdec313f98d9c315208dbd9c108b79bd82ab
SHA512f3bed423deb0f2fae1ce1ea0a304d65e6bcc331b2ea9baead4b4a045de68eeaeb888ff5a56f787d36ba039ba6ae13d9b18c0a4d3c74bf89139130026337512be
-
Filesize
1.5MB
MD533db00de061110b91882e07e6461035c
SHA1956af8a9bc28e25cf688a6d9fa9b46e8e9d4104f
SHA25629ec7c157c2560f259f2f1acd048c77987d0cd3983aa6f24851211d004096cfa
SHA512619c3a473e5e8443d8cda17829a84bf3663ef9302bb45c8aff4551d1a1b98e6ca34c613fd3084436940ff837f92cd41a92499a43921019ef71a0e6edbf07c994
-
Filesize
1.4MB
MD51c30811f8b3d873ebafaf48bcea5ae7c
SHA17f4470523435396ae202086edd442fd0265e209f
SHA256ff5c08d922cc94704932c160230551827f5c40b5e4a8a486652e49db9a21d118
SHA5126fdadea6e9b74cf86197da6f3af9aa5443f2d493f77da26b97e24b5aeb0b7a0610ec1675a4bdc299310b649eb8a98870538371cd2ecc18f90182c2873b598b9b
-
Filesize
1.8MB
MD5420a9fc1cabc66aed3ece8990204c64e
SHA1e2724bc243a6a55f0dbac702cc80bfcb3dfbed22
SHA25618e05a9b13aa0249483cdae47f5f0c81b1bcf12be596695af0225f9e4d85f684
SHA5124b7c01cb005fec13db7030ad41687a3a2f4dea32121de9a15e2a092575cdb47c9114422d708195cf7359eb8e95fff833f0002a913029f9886f6f590a3cbcab33
-
Filesize
1.4MB
MD5d27dcae64f9f1982eb551434e0bc5307
SHA1f6268c20639b7f7ffd8593e3c544629a01f53c50
SHA256e9a7bb0f1b18ef1944588fc224957dbabe9028ca619c7c77d4f965f9db8d2ad0
SHA512e946c560d11645dd7a60730a33480eb16071694a425d32c99d72b8fcf81d7c5cf338bd0d5237de988317f7339a5794e8a4cf933658d86d1bfbd64295e2184d96
-
Filesize
1.7MB
MD580a2b5e98d1c63d7a25cf0e9bef5ea79
SHA14d6d7be4d3277bcd47e9fa22423e0731f4d25127
SHA25690a756a49efb1e5eea9df5e72699c2a14f01f23b9051bddcddcbd3ac69fce1a7
SHA5122538f4fbb5090561fe82e07030b880d3d96878cd910055599ac11c817f758301a8b5d77a279de47b5c03d7554d7a62d73ad757febab80aee8c9fc291385131b5
-
Filesize
2.0MB
MD504b4d1329a576b99c37ba94cefcdc8cc
SHA19682fb422051c2660e35fca2ac81836bdd630b77
SHA256950522707673db052a757a68e00f6c3afc29d28ca6fdd192a5c65ab618eba6f9
SHA512515da8887304149594520c5f02484e683d9a03bec98318b30a5f69598cf8bf8e84294e6caca2f78e056b9df2d15690bd339ef96966cf192ef99b4049928b0b33
-
Filesize
1.5MB
MD542fcf6e1720242eab83df82516dddc94
SHA1f5a253e10f800056479842348fde6895df815077
SHA25678d1f36536e8911c0724db9147435f9b723f3ba35acc82c25284feefbb2ea7b8
SHA51216d1e9de9a1b437de2e5e26472bfe8f684530606d77143f28b6a3eaa694881660548668413420ad9c648b074427cbbeb765600de00f1f92a5a383c27f65781ad
-
Filesize
1.5MB
MD5261d8baf61d97860b88ce7c5ba65d5da
SHA1b522bc5ce082385378b30bff14c723a4bb9c35a9
SHA256fa93d868a65c7a063d1694fa3c2a4c6dc7a3bf1919db22b1f58bca6c1b392fdf
SHA5120bb7eb06af09b82d3e83f75d9124363d97e7deb0d2a469440b78af558b7b0ed3342e9169b37723b77ab2959541a7eb4b19dd5d785b629c554cc92d0c17a541af
-
Filesize
1.4MB
MD50bc82ad759129ccdf57ff479c5453f1d
SHA19b68485fa768be9525d8035937b77d7bf1edb8f8
SHA2564f883416bffe92eac7f334fff4358690d22e10e0f7aa8f643fc921e96a74953f
SHA512be0a0bdbfc5253dbddf0d078c7d1445432296d0d37cc442cbe4b3c426ed957a8c9b48a3f87493d03b845f6a988cd7eb7248f651e91e7fd2bcae1716b6c31e9c7
-
Filesize
1.3MB
MD5b48b612b19155a429d7333e203e88953
SHA1dc076d90fb5e2f8a1280e8035d9f8cea345b222b
SHA256757339a894241a899f8ab81ea9ddae0a11262d550d74d32bbf94a49ddde3cc15
SHA51290fbec52175452d065ba5b869fef3151e106c4b185ecc69e0ac8ad88bb025ea28f3c9df0d2b85fa5c741c7e2063a01f30bb4af51f1a901cb6eba6cc51973b96a
-
Filesize
1.6MB
MD54c4b6370747f871762553a602b52458e
SHA1942b74ff65c45b16f0b927a2f4366a3c4f06460e
SHA256ecaca65af037d759f7344a9ce8934b2d28bc010fe276be30b28e4b942d9ffd3a
SHA5128fd04a5c4f6d4d5821126a845237dfe52a1710e38c2a126ed4c57f065be27691c78e2d3421059478864cef801e0baa935f4c2385fd116d6a93cdb44f88994de3
-
Filesize
2.1MB
MD5409b992fcd91e37e426d6e6c7c75a063
SHA14bd48bd3626b7d93797ec2e2917675f090631d1c
SHA2564d3608fca3c6a1230f7827f8cfc298f202fd48bfb68d9333556538ac8848736e
SHA512e522273daf1b825bcbdf7ca65465748acadd146be5694da6c5fdb841a3644b050dc3290573cceb435a8dad28f95c962acdf8c34ccd6cb34d857a415693906f98
-
Filesize
40B
MD5bb84eab408b76ba9a3fce9253f03fc64
SHA156bb35588825f6f31498bcf1b30cadf778ffa8a9
SHA256790a9ce3e7c7ce0f7c79cae2be69cdcf54288ce0f1867ac750c7c7057b5a5b56
SHA51298582734192b7a4af9d879d5bf939071bed70bd8fa7f23439223fc067c3c8a9675903db2b2833ee74cc6b7fadbb0511faa8e7179c7293a407e65e6f7888b6258
-
Filesize
1.3MB
MD5c2a710f184b708d1fdabb9e31bc3647f
SHA1abf9174ea39ba634a9f31216f76b1438609937ef
SHA2569377d6b63fe34ec90ac3a44ec91f769fff4efd5eab49c3ec8d16a0fc97f58299
SHA512133a7ad2df0ce71584e0bc2cb870ec159fe2c027319db7075d4a01209ff74f26128803e775785676e2b59569f3eab2c52d3d14b8937edc969bc1531805aeb8a9
-
Filesize
1.7MB
MD5f3295b0915297711ee0573b8965ced60
SHA11642cb9e5780378f93098e5c869b980af6092c80
SHA256bdcfd018b22af40589468070188f728eefa64bfec4f4d52113709f0e5f025a97
SHA512802efba830d5ed51ca5900b9e5ea863a848f993eefb91a6cc19f798cd4b15565df4639de9b636531ea9ece3298e9db92f810e8201c3bf9b046ad642ff22c417b
-
Filesize
1.4MB
MD50e922985bd1af6f04a9a3a558f7ba128
SHA1a32acb8cef495fa2a78ddf3334f7bfefa5a23e58
SHA256cf6e09c1dfd6e1df39c3d75a62262f7ef8c2fec136d27faca90370e3d631037c
SHA512333559ee91f56b701f930ca03039282518a4fa899fe44fb0be07f7d1ce8689d2e9c810abfb40a99f7e97ed54cc6d84e03db2fc6e207b929c523b2e8b698b236d
-
Filesize
5.6MB
MD5dd12835feb7c959b0b4691cdc4e79001
SHA162f98776d530529a558e8ea1797488271cfddbb6
SHA256667d2a3601b4f5edf1af90459b7f63e2c6c4271410213fb03d6daf34f2aedd75
SHA512b7841517147afd1da4d6e452bb427c5ae0902443411d18d909759918ddc6401256c3b73fb8433374972bc54266957bfe07150fd8687918e1fe4baeed738dc95f