Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 18:48
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe
Resource
win7-20240215-en
General
-
Target
2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe
-
Size
5.5MB
-
MD5
1a213a216adae5f9062dba60e8c20155
-
SHA1
a642dc1b7a95f60cd71ada60c9497ed52c5e02da
-
SHA256
20976669ef5f33c2bc5e0d5126582acdd778b6603b31a442a826ba500fee898c
-
SHA512
61eac0b8a7e6ac1c12563cf63ac834a71bc4690311efab969ad63262ec74a71f4d1ca313268db9558794cdabe909bbe5d8197b548c4daf7886321457b4c40bbf
-
SSDEEP
98304:QAI5pAdV/n9tbnR1VgBVmku0JwAio1/8:QAsC37XYj1iY8
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4124 alg.exe 1428 DiagnosticsHub.StandardCollector.Service.exe 2092 fxssvc.exe 3024 elevation_service.exe 3692 elevation_service.exe 1516 maintenanceservice.exe 4344 msdtc.exe 2428 OSE.EXE 1856 PerceptionSimulationService.exe 2636 perfhost.exe 2256 locator.exe 4888 SensorDataService.exe 4828 snmptrap.exe 4960 spectrum.exe 2712 ssh-agent.exe 5076 TieringEngineService.exe 5292 AgentService.exe 5412 vds.exe 5508 vssvc.exe 5632 wbengine.exe 5756 WmiApSrv.exe 5856 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\d12a06aa8ed1090.bin alg.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\java.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{6FB5F2B8-50C9-4E27-9F75-756369A42747}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133566437143737339" chrome.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002580d68cf785da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0f40a8df785da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c31b128df785da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000396f4a8ef785da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095fed78df785da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1f5eb8cf785da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f1a318df785da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f91278df785da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd5ff98df785da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 3580 chrome.exe 3580 chrome.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 208 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 3556 chrome.exe 3556 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3580 chrome.exe 3580 chrome.exe 3580 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1340 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe Token: SeAuditPrivilege 2092 fxssvc.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeRestorePrivilege 5076 TieringEngineService.exe Token: SeManageVolumePrivilege 5076 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5292 AgentService.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeBackupPrivilege 5508 vssvc.exe Token: SeRestorePrivilege 5508 vssvc.exe Token: SeAuditPrivilege 5508 vssvc.exe Token: SeBackupPrivilege 5632 wbengine.exe Token: SeRestorePrivilege 5632 wbengine.exe Token: SeSecurityPrivilege 5632 wbengine.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: 33 5856 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5856 SearchIndexer.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeShutdownPrivilege 3580 chrome.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3580 chrome.exe 3580 chrome.exe 3580 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1340 wrote to memory of 208 1340 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 85 PID 1340 wrote to memory of 208 1340 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 85 PID 1340 wrote to memory of 3580 1340 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 87 PID 1340 wrote to memory of 3580 1340 2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe 87 PID 3580 wrote to memory of 4508 3580 chrome.exe 88 PID 3580 wrote to memory of 4508 3580 chrome.exe 88 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 2440 3580 chrome.exe 94 PID 3580 wrote to memory of 4408 3580 chrome.exe 95 PID 3580 wrote to memory of 4408 3580 chrome.exe 95 PID 3580 wrote to memory of 412 3580 chrome.exe 96 PID 3580 wrote to memory of 412 3580 chrome.exe 96 PID 3580 wrote to memory of 412 3580 chrome.exe 96 PID 3580 wrote to memory of 412 3580 chrome.exe 96 PID 3580 wrote to memory of 412 3580 chrome.exe 96 PID 3580 wrote to memory of 412 3580 chrome.exe 96 PID 3580 wrote to memory of 412 3580 chrome.exe 96 PID 3580 wrote to memory of 412 3580 chrome.exe 96 PID 3580 wrote to memory of 412 3580 chrome.exe 96 PID 3580 wrote to memory of 412 3580 chrome.exe 96 PID 3580 wrote to memory of 412 3580 chrome.exe 96 PID 3580 wrote to memory of 412 3580 chrome.exe 96 PID 3580 wrote to memory of 412 3580 chrome.exe 96 PID 3580 wrote to memory of 412 3580 chrome.exe 96 PID 3580 wrote to memory of 412 3580 chrome.exe 96 PID 3580 wrote to memory of 412 3580 chrome.exe 96 PID 3580 wrote to memory of 412 3580 chrome.exe 96 PID 3580 wrote to memory of 412 3580 chrome.exe 96 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_1a213a216adae5f9062dba60e8c20155_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2e0,0x2dc,0x2e4,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:208
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff860a19758,0x7ff860a19768,0x7ff860a197783⤵PID:4508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1892,i,5603584412117662045,8665768605518991935,131072 /prefetch:23⤵PID:2440
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1892,i,5603584412117662045,8665768605518991935,131072 /prefetch:83⤵PID:4408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1892,i,5603584412117662045,8665768605518991935,131072 /prefetch:83⤵PID:412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2724 --field-trial-handle=1892,i,5603584412117662045,8665768605518991935,131072 /prefetch:13⤵PID:2232
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2732 --field-trial-handle=1892,i,5603584412117662045,8665768605518991935,131072 /prefetch:13⤵PID:4992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4592 --field-trial-handle=1892,i,5603584412117662045,8665768605518991935,131072 /prefetch:13⤵PID:1196
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:1192
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x240,0x244,0x248,0x21c,0x24c,0x7ff687d17688,0x7ff687d17698,0x7ff687d176a84⤵PID:376
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵PID:4404
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff687d17688,0x7ff687d17698,0x7ff687d176a85⤵PID:232
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=1892,i,5603584412117662045,8665768605518991935,131072 /prefetch:83⤵PID:5036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5144 --field-trial-handle=1892,i,5603584412117662045,8665768605518991935,131072 /prefetch:83⤵PID:3196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 --field-trial-handle=1892,i,5603584412117662045,8665768605518991935,131072 /prefetch:83⤵PID:4736
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3188 --field-trial-handle=1892,i,5603584412117662045,8665768605518991935,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3556
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4124
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1428
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4472
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3024
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3692
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1516
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4344
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2428
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1856
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2636
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2256
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4888
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4828
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4960
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4788
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5076
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5292
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5412
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5508
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5632
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5756
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5856 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5980
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:6036
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5f1da5864bca610c2b6038327c4e79471
SHA12c42038026152145c1cb29db8b88977416ff523b
SHA25650809497de94c049a044a01fb06fcc57c7862ea1e7e2bdd72553e2a3cfe9dcee
SHA512a6ace602d8837af08b49fd9d84d9285af061700b4b7962cb76e99f336d568372a87282080c37484557156a60a82bd0a2b7868ee7644bc41ad2f7fdcae03d9453
-
Filesize
1.4MB
MD5fbc15610d189c770b5dc4727f2c1b779
SHA15d1b7c7b9356bdc9dc7b4b346b5639385b0b1e1c
SHA256cce363ed4aa443e4ff3ebbb42ca2aa81bf5425fdfda938f5e601c6de1b8640c6
SHA5129137fc3a0386adb848b031c091be3100cc8facbd1536ad626819d1f8096f35389b74ab176c07d87de9b61b49e6c541893196fa21c9111c682e84b2e01a7edb46
-
Filesize
1.7MB
MD5923ecd5539c25053e43b4d76460ed903
SHA1bf6abe8012660c51a38c24b0f5df7ad06a1cfd6c
SHA256e5617741c8b8570f64256791c589480dd0b9b8eb3b5a0b71b78913291ad6112e
SHA51275fa83c3c66c01e7702f6ea67960aaae6458f218cc736d609713f1f5e82c66a61807ea45b01a60e97013e205599f296dc3cc599b2dbc092a95492d89d6cad9e0
-
Filesize
1.5MB
MD56c34636ef9da779009284dcb9a76fcc5
SHA1fdba6fc3bef809f39fd25f713ae1e9a39160fb39
SHA2562baa4442fed708f940382e1c1199b439dc3ae3f3f63deaec121407a106dd07fa
SHA512d578e3154f509bbea42377c635de4e3706c138a552af087d3b730ee4ed778a738f5760597f5c353e7e4b6acdb9fe9757320196158efe157e2d43c4fe62070e26
-
Filesize
1.2MB
MD5c4633f4bed5f54d040c8c7acbf13d7c2
SHA1fd35626468d1c1304ba75da85c5a4af8283a99b3
SHA256654586e493522466d1b457b633bcb67929aae772f392a9682ac2808f7a9ddd5c
SHA512743372412d6d49f67574e345c432adae6e607506ee1499452d0b7de6d596a306631b02a3636ece35acdf00c7a29842fb8800076a889449c17a2c55682bc60723
-
Filesize
1.2MB
MD5085994923d97687fe5c6f2e444197499
SHA18fa3efaf3ca0c8e1188b90e61623dda4f9ea84ed
SHA2568f92c0f85e05df43bad49ec16dcf9a7f63d2e78c9503c1c68b98dc596db212b1
SHA512e9ab6d0af50563eb645e5626a4dff917cac8bdac3b52b1e021ff63264bcf493194586800386ac7480f58be82f10a312909cd3c2869940c603f2ba16c31d87e7f
-
Filesize
1.4MB
MD5b76cd64338a72e37003c829b4c22ac03
SHA124206bc439a7c7db5f89001af1fc6bf224ef7116
SHA2562812835a861e0c4b899c3b3cb2cca970ae8b26d739bf555bdbf6d7b81849b92c
SHA512065298946cb265176f0b11b733f4a111ccd5cc3e3d00474fd32b9cdc5fcd995d273f87ebab066711d1ae1872703a155f999af2f21127ce2b2e0a6eb6faa6b1c0
-
Filesize
4.6MB
MD5ec4a9e0487803523c79638459dd90dae
SHA162a76e052466844b50a59763fc2ae5eb63ae139a
SHA2569164e980a4c4968112b72f8d2feadd825ff3536c79487aa95e3d576231efd3c9
SHA5120e3e2a385617992954919e098aa3e14cd8ba1309c4763158fa4e7c1854294ffea9111e0f29ae1d9d11d42fe4d9f982af2f6a3259c7f497e38966af696f52ed61
-
Filesize
1.5MB
MD5734397f3415f37766246cebb03d22717
SHA1756f3d7f400db8a66c5652eb4809146ea3499adf
SHA25648cff3c9f38ebc53b1f9ab17a0f010c09efd9157ba1c156a19024371059928e6
SHA512e33a3c0e8095ce65f24526b0f59962bc58165c2f4e1399402c637ae1ea39f95de3f6631830afcaba2f3ed127717b0f0a9fd14e9086ea02435d82e3ad93efd2f2
-
Filesize
24.0MB
MD52121a7e4ccdd513bd86c76ffd710c28e
SHA17e0feeb3976c68f54140cf74a5960333d4789d06
SHA256c3e9c4746d4d2658325c15181851ea03d62b8ee1f4f9c80747ac26eb5299794e
SHA512db3a5ff78ec329804cf0dc5e94b63cc6a5303af22c3985d9cbfe8dcf6f1cac0a781fde7d4d159747ca8a635522b6b758fcf9508a8067dbdc67052ebf6d457712
-
Filesize
2.7MB
MD5ab5fcca5736cd8bdc4a10be8bdd902f2
SHA112b178f6bb480a3fb60d2436df90d8acd0773ac1
SHA25674084b7958e2b5f80f01042b73c32676df3e616785d22ccc391c1cd6e307a042
SHA51292e60854df3ac4677332bc850d34401bb1163554c67c5ecbcf10cde7c586ffe6fd802748fe4df9cdf139fa925c28a50f799258ce9377338297a5d212a40671f9
-
Filesize
1.1MB
MD5fba152b6ed6c6a400b06711429799a80
SHA196b4931042d6df631a4bb496f0b13355689f9d16
SHA256ba4fde87cad0e20a3ed8e1d763fd2b10443bad84a2754bbf1b799f0f0434ecc3
SHA5121e1b7808aabac06b4ab532f2b4e761c3329910b8f15850940b37eaeb7e68e9dd80137b3075a9441edb1fa9b6f0319ff2c0fec542b4d73fbadbe8b43f9deab029
-
Filesize
1.4MB
MD5c42590c10b0d1c0af383a06c30b06a67
SHA1f69a7f2151b934f0098c84590f72f117b113ac2d
SHA256b95be128cc46c369cd06d49e09d50a55ddd78ac4ba8a46cb1d6cef0d06f844b4
SHA5124a3d83a5eb1988e67b922a90970fac6ac52561cdbc984005914ffbadaa03f68efd8439496d64d708146ebc0ea9e3ecabcf5576a32b89b98a5732d7ba57033bc0
-
Filesize
1.3MB
MD5b05d56a09397f93cf8903079624df6eb
SHA1f390e76fb1b6e73af89764a5b0c719ddce2c6831
SHA2563e1bb68c82ad26bb2f8c14595790359ecba679020dca5f0edfe61aac32ebf749
SHA5129900b0850891803d60209a6c0e156164c57a206859278154bd6ae334f793f5f85ba4bd7e9f6cb9509ce51f11dabee1825760ac350888ebb3375c6856b2fb0ff5
-
Filesize
4.8MB
MD59288d37c2c0912fa1e29894580d4d359
SHA13f929a852343618ddd561931071d2255b5bc3767
SHA256bf69a1f7c895825b685959a8115ce8a7207d2babaff1186064c36dc4883becb2
SHA512da59e9b5b2b7ba53610107d29bdbe706be11f8424a5aaed65d110a402283124fd3609ba62250f0461ed91f7713853d292d00315076906dff88de2ec7aa34db70
-
Filesize
2.2MB
MD5d9e12d90c733ec6c92a417b7bda91982
SHA15b3eb088ae459f72e8d4f142430c5fe04eb26c6c
SHA25655bd2a14d2f56051b39cf1bd3a1da09b17a299b629f9affac61233b9c414415a
SHA512effd564f12c4f6afd5867e55bc40dc504cea38b868d0ea49f7328ea26af64478900b921ce0c0494e7cbc2fe807e38a84fef6b209037db9f6f5fc6161c97b2446
-
Filesize
2.1MB
MD5d12842fcee363fd8078c0fcaacb13852
SHA1aeca843822ac325817f5e56d1bc7e890c55cf703
SHA256cff4578519000f9787343659dade96b0401cb6c8c084638017c5ef0979acc341
SHA5127015b8f54d275daedfc4e05a659b0360733019aa173d13117782c4d863513ba7deb9ac814e4c4b91afb88100051378a56af5d49f6f05deb25ee9ad55cbaa19c9
-
Filesize
1.8MB
MD526643a0643b0a64a88a2bc08f952836c
SHA1f97fa284339b2f53a161d97dd576ba175a2ee772
SHA2564c4fbeea5aac96d88599561095e7d18288c1e6c075228e24f1250ce643c7040b
SHA51282f80ce71d2d844ebbdd6465043b0daa36fa3868480cb270a3ceac84962220a0712c52b265bc2074953688b99b4a0ef619a8a9b1fb52ad799b8939799c10b58e
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD568500fe97c678268866548d4bcbf9d2f
SHA177d529db74e65b3907f75a798faf13353ee66f30
SHA2560ed6bab4e6a1f4340b82e8efb0eda575d6b7ea5403e93630ef33330a74e56d79
SHA5120cf9320879b9572fbb2b30c09db0d5628a6a0797aa79b87dee693c246f091469a164e519fa0d559c4db6c7ee5a38da2455fd79ce373a75175b466923948b014b
-
Filesize
1.5MB
MD5f74fefc0b8db0c5368b08296a3530fb8
SHA1c43980ce4239b09c6c97d90698bea32ece0de65c
SHA256072a238d15c75676125561e43626945fffd8da9eb88e30ae650799763645f01b
SHA5127fce52f09dcd39e6282656a1a03e678a7b55f94b2c1d008b2fe7fa7aba036f77582954ec28668665c14af25c860cce9395662bf16d0264a748f23809ad5d72b6
-
Filesize
1.3MB
MD5393110641a7d54160117a240af735d23
SHA1acdc38142ea6c9160e269406f5648bed145344ff
SHA256ae4d2ac45f04f7ea9240cbee58591f2ce8d593f4024eb4778df5863894f82a2f
SHA512c6ac0fa180ac81a01bfa13978e537eead745182032d525a9780b47f40e37d67a2eb414f2e110f1022fe9d988ec97e2b34288ae7c7f5cedcc833782eca6b39daa
-
Filesize
40B
MD5bc16ebe41a9fc2938c4060992a92b0af
SHA11719af3e339b187d984a76437eb80cae5dc50e6f
SHA2565874dbe9583546eb24cfb2b237d58f97ef186cd72866dd224df82e62817744ae
SHA512c78d4be86a3f35ae07375b37fd39f869d317a6ec6699d7673731e6f9b255d7bcbfacf58ca71c3f51baac1e2b2bbee7da58603efa5bd51a31162c481aab7a912c
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD5e724c612acef958360567141bd1a8c2c
SHA1fce86c35f7dacd9fa3f5fade3baf89583695d75d
SHA256510750b2d95d200e72b83d33bcfb3a6c49e29efeadd525318a7f9881a504f682
SHA5120cf9861eb285bfc8ef575ce76ac8720e422e6152327673ebba65177ca7aa0523a4afddfdec7762d1d9e5d218a4eec2c5f7eb21e4ccbd30587eb42a138ffef2dc
-
Filesize
371B
MD53a13a6c4bcce068add3fcf95c7e4d18b
SHA1f57529d976ab5d6c91b69a8d07b5462ff72cb0d9
SHA256dc5ec8c71fecadcec190ce75e303f84560f8e63ce843df937e117063759c4229
SHA512a9a9ac5eda737d1a7204802114ee42b599f47d67e55d18d53593e8e8b82fa2f033d75b63f758477ca39842429ae6e2e6910e5900a285404127cce48d86469a39
-
Filesize
5KB
MD502472f13ea66ef91a35b090ef9363980
SHA1025b69297302e526f0459d75ebdec31aa7ad4908
SHA256d7db49148e11a3be41b8f5904e2ccb1953c097d21e79266c34514b678021c2f0
SHA51277076b79adcc91a1dec51809b5fd8e4bac441b6b7eecd0fa294d471d270c34451cbc9a77b966f5eb52ddc8311fc39fcc273f45b3808a751a106feec2afa1c367
-
Filesize
4KB
MD53ee48dbb7a9e1dab2849044495d8a25d
SHA1ef21a287979fbbd278e1d98e38f8a18cb1582112
SHA256bdf4ebbb0426e224da74da30fafa32cff44c3561ab7fb04a71b24fd67c191532
SHA512b9c288a5f82bf3e7c1a47e3c4aa8131467c77a02b4f907950fb7000beb4a617b369c455d48b85c824c2f9479dcefc88a4b6e807523acd8346f262ecb43da9c17
-
Filesize
4KB
MD577a6e09915ca78c24b917ca6e00c52f6
SHA1e7ed258df03f164dca5da627a78788897bd7f07e
SHA256f1ad64d0d5be9212bf8ca26cf4c09218177012d14d3b1ebf4b93f5990effccee
SHA5128b21a153b5b59539685c41d78aecd5aa33d51dd675c8a4cf2df1a24a190c71c9af991d71ef9d50a53aab4817679d1421eb5576ecdbc7ebe40111e092acbc2f00
-
Filesize
2KB
MD53edecd18ee6edb84a0c5cc2869b57cd2
SHA1e291fe43a956ab29cd103e3cf39aec8a516938a2
SHA25674396febec16fd8df1e991beca98541a5417c26fbc44246bd978e98ea81dc3b6
SHA51230815ff00dbcef7d4b474b51c78c9d9be8ef9145e4dd6fcd8d89076a59e79c01441c62e761a91e13f9b2c03399badffb5717023fb70f6106a6ecbc943a3a576a
-
Filesize
15KB
MD5ac7a953d56ba8fc727721bab6ff8b355
SHA152f5ef3ee7fae3d1d7dc4af4ec08211545c665ae
SHA256e967568b0438aa2df4a5eee52bda6c01b865d8e102403bb53ec161ee963e307e
SHA512d99955dbe1310ad4637380452938dcaaca46e884dff05e29ad596249801ca4fe5334bf3fcf1b18d44d590420da639a028d061eec462250dd2532fd7480439386
-
Filesize
246KB
MD5b7e3eab0ccfa69356aca8bdc9fd8c826
SHA1a2e6686dcd059ceef3fefd5b88fcf852a68b6b3f
SHA256270f775e3ec54abf109fedd1fcac0f23e033b14212666011e28ce1b8e792b754
SHA512fa107b1ddd53456b46eea4ea42459017fc564df940c7ebf87fc5211dcf569427046e7d9dfa44281f62ab94a5e13132964781597bd2685dc69b852025f1257fe5
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
7KB
MD5522b15b969e876c1753ac42a17451d65
SHA1bd81dab3ae8fed3d051ea5211dce0c9f92e10b2b
SHA256bacf4d922ab77383fde9524cf2010ac379bee237f3e1e5f0922387f0cbb16b07
SHA5128e501300802326b4bdc287a58d15164f4b5927251e7de69ab581db0ca7a56c61afe336bc585846c56289dd3940c1473fe3077a46458cd1797e0e70e4a34893e8
-
Filesize
8KB
MD57ad94a259f869988ffa891186ba41c16
SHA172422c80d14d840e5dde85630db862c72c6f7df5
SHA25637eac798e875ea6e299a478d19c81cf951516c1650567effe955ffa309f81577
SHA5129270ec7e1d3791da374241b5f634d71008f2e4d53830deb6588a5e72300b410661a1605a717f44e4f9580d2397ed2a70efd1ed2abd0a5c36c76d7ca7c3c6fc40
-
Filesize
12KB
MD5b5ed4454e1df6c2b90187b4a18ab4e4d
SHA1ac28a7964845d3bb9be22e20a576e6516127d40c
SHA25680af51bcd7732047c798f3e3519ad7201949698f513114d3bff09ad42d9bacd5
SHA512a3649d193ca34e51b74bb7154d2f58a2693f652f8dfec5b6f34cb6763629a43b243b9a8f94ee34ac1c733301dc7ab4f913a14a7705bc434a69a793956e2e9cf1
-
Filesize
1.2MB
MD5a17067d020a2f5d4d7d5766e50a42020
SHA1fa2def54d4886480201795ef7eac19c1947049eb
SHA25642c86268b2b2f79368631acd54c70849d96e3c1269dcf5f5034a374e459b8427
SHA51228bd743704d17b7b92c19e03927fa07fc0d732054226cf717b3d63108394099f6653c2eccf5152096dc4a1a94b8f4d7012c8b466d48d76abe170fc86a8cf5b7a
-
Filesize
1.7MB
MD5210c70fcca0781df69ab2b29c6d5d109
SHA1b13912b8965a50fa176ba6c6a7a92e02234c03db
SHA2562a3b54d658a12d158c6e9477c2e6d755e350f935773e63b5fcbc28b6c0e6ea27
SHA51222ecaab46c69f4f15dee2a3152afe69b2415bb94a253f04faf93f1739e002a4ed85c5f60ebdb3f9443bcb206c677eb15bac4da731ab9d993aa5418c779c9338d
-
Filesize
1.3MB
MD5556601d0d88eacb2a7791c076dfeb85a
SHA1a102a3386a2d48929524d257ea0caf217e232850
SHA2565dc701afd0fc6463cadbc5cab86d6829df2edfc29016dd3312925bc9e4bad23f
SHA51229597cb5088d35b5cdf85db0bf61ef60334b55712f2283b70ca08c2e6577d3128ea01ee76eb4a7a87266351cf2293e994f86cfc0ab6bb5b545f383905394c2ae
-
Filesize
1.2MB
MD5bc874265e5083040efe52e442e056f47
SHA17e135e3d26e47e316625508ff31e3ec4e1694fed
SHA25611dd0aaf39396259b9a4c62f74ee43db0f5b8142411dbfa9964eb5a65d1b2b12
SHA5122e4058fa8244d822d49bb7a5f8b693f619c355873b6af66d88bdbfb036525e2319de241d1665f3206f68c025d17026302c2242d1171b286dd8e60f03056e65d5
-
Filesize
1.2MB
MD5a883747697b47cd8262330a8b8922829
SHA14f8a302d02b0913a5fce3397f6e61f551ada7c72
SHA2564379a60228bf1ac648d45783adb8b922f76b7555a50d4c2c5c48f38a5f1ed3e2
SHA512177ad80388bce49eed024a1bfa336f1024a374c0b1c575739269792716019ae71894283156a99527d62aa5ad1b9c1922a849edb242954d3c5e19d016d1c1668f
-
Filesize
1.5MB
MD55acec00ffa27760aadea34d7dcbd2152
SHA1f4ace3b5d3540765412eefd5789ac01b4c41ecd1
SHA2560e100c28e35c4bad1aed6121762fe619686561a31bec3014fc25c68639472d0a
SHA51294130fe7fab60f4746d45a92cb79b2745f8aa9daa9732f2b09b81e01382bdf622d377eee371661b677fcb170c3a37524d33bff0fc897959cd7f61f6c0e9cb846
-
Filesize
1.3MB
MD52c417ba55ce3ebc86d79a9cbdd2626b1
SHA1b5c8617dd8a4dd5e20023da33314f1081ba16c0e
SHA256d7b32a29832115de47c09b86a5516ac1e748b6a22a3fd07ef4f2fe12224a5166
SHA5128a79b9ffd2219afaffcbb764026599ffb9dd2e07b818f9cba5cb86f30cd2ef0a31385f28686787c5ad687ff506eb7af9bcc3dd4921ebdec9dcd3974a5895ee4e
-
Filesize
1.4MB
MD59f1352f9ea33a4fcc6b9b036091b446f
SHA13297d68c3a89f26b81c792855573ee5b9bff1f2c
SHA256ceba6c41732b05036dcf5240bd9da25bed9d2fb8df0f334348895bd82cf6ae84
SHA5123aed367679eae24223cea965f7404142555c3466987c41423522ebee89fc8ae03e5d8d7d460191ba7a9299194a1751c02d0623dab6026b4d115b62fd7ca1f86f
-
Filesize
1.8MB
MD5f7b67e10886f1a895b18452055c08417
SHA1ea0e37df492bc49a161ec4017b4f60d66aa09693
SHA25664088deb27fc77dedc310f865d6f95102a275d8bd8a0bc7479e6433422b6ba5f
SHA512fb481f34d90420ac453fb2b6cd95a6bcf0739029bc98d9968d6bebdfdddf72619220637fd7d4f80d5df313ae6f65c92f4f57e9a420d7b08372120619d989e9d3
-
Filesize
1.4MB
MD5f3cf3b67dc20cad94c9de6dbc9329dd8
SHA1f58dda1eaad5b3f927e1883794f3c8b020969b72
SHA256e2acb38949d2b50d624bc9b60c97195d33db5b8948033eabc50710e484d77958
SHA512e0c88a882d664a82eaaaffca4e1f51b8cd655ba299a2b583cf98779ae69aa659935da71c091e1835437e9e1892bd1e15ce1ed63d7c9c32d95ad14fb29b12c2d9
-
Filesize
1.5MB
MD52b4cbe4de540e57bfe983e6c3eead5c1
SHA16657c87740bbeefd4b82b0c21c9487d898d9eb69
SHA256a95a7c3a9366f7c3fc82c8a9b8ef3a4f91c63c8e413a1f2864c577c075bf1e1f
SHA51216887641ed36cf596c0b084ce2db925152c2d4a8b9d74bf070529a785437901d56d9f938f12fdf50adf3766d402506061eea93455c43485eb6e8d0cbeda5ba6d
-
Filesize
2.0MB
MD592bfe9bb26e6fded24eee3d11664b812
SHA17f72f35b67cf2dc57c6c881546039fdbaec0bfae
SHA256bb6355c7de02855aa73dd6df7a6614313b7959ed0818d9414e1de5144c26d55e
SHA51203c537ec8c82da4c82e52235bb62bf7563b3c0ee304d46434c7aaf701f4088743379214f3575a80551e1d2397b978cf6241e66e38fd50bff1d5ef93b4240fa78
-
Filesize
1.3MB
MD53f99b3ca1e6bf660beec3f080a427c31
SHA15c8ed45f1c1ada496cc444c232d5f488795ea6a4
SHA256284e71df41ba3db6ae8d3a64e20f36fd1cd32a9222c45a9153f02712484b69a9
SHA5121577099a32aa9f346ced915deda53567202a09bc3ce93cd1dacdbc8facd854cee94d3025aaa048d7db3f8d3c467a5f570df2d243491a58c025c2da6fb043fd50
-
Filesize
1.3MB
MD51d3dec32105f7be67aab7a818595e6e3
SHA1cc879dbfa603941ae6ff4128e540979d091078c6
SHA2566da979a83351a935c692f84e2c79fe61e9718b5950351cfeba798fb7177a8c3e
SHA5121e661cfd8e280b96b09a7d14a68a434db67f1de713e4db3cdc04d9151c3237591a74f55f40b40028f8b1071f119dfca02794e3948fe3e108abf762211b3eecd9
-
Filesize
1.2MB
MD5d0863a708ea4f415b65a3bf8c0acd767
SHA16b7cb2b3fd5fc737d6ff8b260f3b873ba6af6611
SHA256e15b033dad31cb7c9659163a1e517d6d6370ccab44afe232678414b8eea9b896
SHA512affc5f045912cafbfc3f40e77e48a64ced289a6686d5d31d075617a4436dec8431e9e133adfbb7f1bcb0edae4f8dced510ef0af1b8d77fe144754e4a225b9f32
-
Filesize
1.3MB
MD5ac96a9f38eafa20a90421dd5ee82caa7
SHA177bc5e24177d8f2ef3fb7a5129546aef0c425665
SHA2566a1f2fb98fe4936ae8fd8c795e58922d279c20fe772f83523c7026bc1ac803bd
SHA512be247cc94acd16498a93c35df0464147d521b2d70ffb52cd262a9ce1766bdd81961515967fc5a16227dbc206ae5f199668e21a8867edd2ce881194332aec3819
-
Filesize
1.4MB
MD585eaca1523f2118c03273386abf174f3
SHA18aa4111b255393ebf75e99a629c8615ef828fe43
SHA25671dc5554f8b47592bab6dd6c26972c33bc5902124a080119f31aef63158f21ef
SHA5122f317089b5223887652c4dca18c63a30e857984a4edb048718da08677f250e8e99d89146ff99974ec7b7f252a0bb8c5ed1d432ed616c025c9d5533bd54df09bd
-
Filesize
2.1MB
MD5f19b5f78a81d94d67b0eb0c3a7435e95
SHA1e674783dc2378f6b5d7505655256ebd8d7d305ea
SHA25665404603ed117b9b5df84a71635daa549f58e6512c44bf92f545322bf76389f9
SHA512a4309e3a1caf3952c4fd2f25a85602eae83888c483db2a6f4f31a3aa323e45274230ff8239a264842b01a2441252482fb87d4493f6960ceafd05e6cd3c1fd139
-
Filesize
40B
MD5bb84eab408b76ba9a3fce9253f03fc64
SHA156bb35588825f6f31498bcf1b30cadf778ffa8a9
SHA256790a9ce3e7c7ce0f7c79cae2be69cdcf54288ce0f1867ac750c7c7057b5a5b56
SHA51298582734192b7a4af9d879d5bf939071bed70bd8fa7f23439223fc067c3c8a9675903db2b2833ee74cc6b7fadbb0511faa8e7179c7293a407e65e6f7888b6258
-
Filesize
1.3MB
MD5f2ed97a46799c7a6c4466550ad208f50
SHA16ab22f861065a022216f1241695d8ce5b032bf09
SHA256b8719f3aae65f8b9c7f4ac7283d6d7d999cfe762e36d8a6e6ca2d604a495cae2
SHA5128ffbb350ea6d5a96c0b0ab4b6f310d0e85c45a48fa18f6a97f320a17cdf4b1229b4d96f6b42ad0fc98e7bcd7008b2c09779e3fc0aad3db4723711840ce9189cf
-
Filesize
1.5MB
MD5f32fad01de235e1ec8f6e6ab13072ffe
SHA126c58d4c0ec25970ccea458f578c6f111d4daa8d
SHA25609403b9e19bf3ea0e492eefdc16562129b2fb6aeae7a2c932ba9bcc5c3d229b0
SHA51275dd7b1ff6cc531e206e8823b1fb07acb46fe025f0f66a2fafe0bd9389b2c18e241190faa0f36a43f4e4a301c6428842700aad145a3b592842ff7aa864c18ded
-
Filesize
1.2MB
MD5a9f8fbbe70e90dd4ce714ea3495be4b5
SHA16c20855116ccc1413a4fd73ff7aacefc8e58c62a
SHA256d07dbadb58749b30de18c862f670759a6e05ef7578fc14213faa8872568defc8
SHA512d91861dc92cd74389cdbb818c740fc5ad0919d3a38078394363f77d98c0c138f320622eff751a766181883787b101262c7dcb7732d34949030653c438406fbf6
-
Filesize
5.6MB
MD5d2acf91aa70f4e22d6c4bc1cd07ca8e0
SHA1d1cbef2fce7a8b50597cea6d599d8e97fb09cd8e
SHA2560948bcdcefac2541e55ea703f2a08d1abbd3685efea1e04010c584deaf2ad5d4
SHA5128654f457ff4ffb876523b8dd1af87f4d5aa24417876e43fba107d8a985b9628a4da19e629a42c834d1cbf1f17ef98adb4deadf9c8f3f505c95d93a8da9f4043e