Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 18:52
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe
-
Size
5.5MB
-
MD5
3b1277ffc3dfc5cbef2bf4d39d8fdaba
-
SHA1
b3b60fb09b35d8fa32368ef99c152dfa6bd94ec9
-
SHA256
dc83a6dbe5e84ad12476ca268ffedadaf18cc56d9791e24eb14c1049332ed424
-
SHA512
ab97e4108df09375a2ffb18faf5861d6b72d5a7e59418119c82f9833ac8643da31a9940da69a431a88cb8bf6a859a9c85de019788d93d1c6d9dfa6889d35e7b3
-
SSDEEP
49152:8EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1cn9tJEUxDG0BYYrLA50IHLGfK:KAI5pAdVen9tbnR1VgBVmoUf
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2352 alg.exe 408 DiagnosticsHub.StandardCollector.Service.exe 3772 fxssvc.exe 2284 elevation_service.exe 5048 elevation_service.exe 1780 maintenanceservice.exe 3068 msdtc.exe 3952 OSE.EXE 4436 PerceptionSimulationService.exe 1664 perfhost.exe 3732 locator.exe 2440 SensorDataService.exe 2104 snmptrap.exe 536 spectrum.exe 5412 ssh-agent.exe 5628 TieringEngineService.exe 5768 AgentService.exe 5872 vds.exe 5960 vssvc.exe 6088 wbengine.exe 3340 WmiApSrv.exe 4368 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\17c66cf212d07ad8.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9c45a1df885da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082bc6e1cf885da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a62581df885da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d72fa31cf885da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be86d81bf885da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dace811cf885da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005bfa0c1cf885da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f04e451df885da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007135081cf885da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133566439506613765" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 1368 chrome.exe 1368 chrome.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 4704 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 5744 chrome.exe 5744 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3592 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe Token: SeAuditPrivilege 3772 fxssvc.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeRestorePrivilege 5628 TieringEngineService.exe Token: SeManageVolumePrivilege 5628 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5768 AgentService.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeBackupPrivilege 5960 vssvc.exe Token: SeRestorePrivilege 5960 vssvc.exe Token: SeAuditPrivilege 5960 vssvc.exe Token: SeBackupPrivilege 6088 wbengine.exe Token: SeRestorePrivilege 6088 wbengine.exe Token: SeSecurityPrivilege 6088 wbengine.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: 33 4368 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4368 SearchIndexer.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3592 wrote to memory of 4704 3592 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 85 PID 3592 wrote to memory of 4704 3592 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 85 PID 3592 wrote to memory of 1368 3592 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 88 PID 3592 wrote to memory of 1368 3592 2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe 88 PID 1368 wrote to memory of 1976 1368 chrome.exe 89 PID 1368 wrote to memory of 1976 1368 chrome.exe 89 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1432 1368 chrome.exe 94 PID 1368 wrote to memory of 1488 1368 chrome.exe 95 PID 1368 wrote to memory of 1488 1368 chrome.exe 95 PID 1368 wrote to memory of 5032 1368 chrome.exe 96 PID 1368 wrote to memory of 5032 1368 chrome.exe 96 PID 1368 wrote to memory of 5032 1368 chrome.exe 96 PID 1368 wrote to memory of 5032 1368 chrome.exe 96 PID 1368 wrote to memory of 5032 1368 chrome.exe 96 PID 1368 wrote to memory of 5032 1368 chrome.exe 96 PID 1368 wrote to memory of 5032 1368 chrome.exe 96 PID 1368 wrote to memory of 5032 1368 chrome.exe 96 PID 1368 wrote to memory of 5032 1368 chrome.exe 96 PID 1368 wrote to memory of 5032 1368 chrome.exe 96 PID 1368 wrote to memory of 5032 1368 chrome.exe 96 PID 1368 wrote to memory of 5032 1368 chrome.exe 96 PID 1368 wrote to memory of 5032 1368 chrome.exe 96 PID 1368 wrote to memory of 5032 1368 chrome.exe 96 PID 1368 wrote to memory of 5032 1368 chrome.exe 96 PID 1368 wrote to memory of 5032 1368 chrome.exe 96 PID 1368 wrote to memory of 5032 1368 chrome.exe 96 PID 1368 wrote to memory of 5032 1368 chrome.exe 96 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_3b1277ffc3dfc5cbef2bf4d39d8fdaba_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2e0,0x2dc,0x2e4,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fef79758,0x7ff9fef79768,0x7ff9fef797783⤵PID:1976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1664,i,13218716527427028562,1867566113353323502,131072 /prefetch:23⤵PID:1432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1664,i,13218716527427028562,1867566113353323502,131072 /prefetch:83⤵PID:1488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1664,i,13218716527427028562,1867566113353323502,131072 /prefetch:83⤵PID:5032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1664,i,13218716527427028562,1867566113353323502,131072 /prefetch:13⤵PID:3788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2960 --field-trial-handle=1664,i,13218716527427028562,1867566113353323502,131072 /prefetch:13⤵PID:1600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4592 --field-trial-handle=1664,i,13218716527427028562,1867566113353323502,131072 /prefetch:13⤵PID:4320
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 --field-trial-handle=1664,i,13218716527427028562,1867566113353323502,131072 /prefetch:83⤵PID:4492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5184 --field-trial-handle=1664,i,13218716527427028562,1867566113353323502,131072 /prefetch:83⤵PID:2348
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:3920
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x240,0x244,0x248,0x21c,0x24c,0x7ff775a87688,0x7ff775a87698,0x7ff775a876a84⤵PID:3548
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵PID:436
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x240,0x244,0x248,0x21c,0x24c,0x7ff775a87688,0x7ff775a87698,0x7ff775a876a85⤵PID:4100
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1664,i,13218716527427028562,1867566113353323502,131072 /prefetch:83⤵PID:5196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4736 --field-trial-handle=1664,i,13218716527427028562,1867566113353323502,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5744
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2352
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:408
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2752
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3772
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2284
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5048
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1780
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3068
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3952
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4436
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1664
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3732
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2440
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2104
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:536
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5412
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5476
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5628
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5768
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5872
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5960
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6088
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3340
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4368 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:6128
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:6140
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5c073669d49e4d6e8893599093af59dc4
SHA1961f5112b6175874915a63bbb62fe1c67a99c048
SHA25637d9321e0a0678926b87a0b2494255008cb1272e4879a2fbe18afde25973f17d
SHA5127e95dc253a32d753f5fef35846a76a14ea219b01b2bbb2e89211a13c0fe6c0abefe2cd3fc16194103ea8b291f3c620de7d9238855d459afb96c8ad1b5e904fc7
-
Filesize
1.4MB
MD53a80790bd7ce6f998a6156b57d74cdec
SHA11f46665e0713473b3727dc17b1b71337d5edc3ff
SHA256579c33cb3d9c8acaa22f783063042209ec666d8f8521301515ce2754d3ed9c72
SHA51215cb1d467afd64f01358a06422829b9221bc622ff4a8f612623f2f4dd258d3cf26125dbfa2efcb457bd11d04011d64c0a00d4e30bd717c81c77c8a7868d49985
-
Filesize
1.4MB
MD5439b7be9a8341178c3cde95972131469
SHA10088a4de42b270741986869937baabb2a66b90dc
SHA256b66a81e265d95456309f887c89fdf6af4c1d8094629fc4827b876ece9acb649c
SHA512c46d6d200d69cd08baca259b6c5769977270898bb0aac1d6b1b2f1ad27f5f0a195c80bbf8d48e15c23d9121a7a3bc9ff4fc043e1870906ad19d5577e32602498
-
Filesize
2.1MB
MD5b22454b4cea2c5e18b48e6760a772c3c
SHA1264d287bdfc1104e8478101aea20cf54bf3c94a8
SHA256ff1dea03dc68c32c90da0ca2beeae7850b77217a406d036325d57c4616dac5a3
SHA5129d931a2534cbf77ac1682278d8850a674ed2c24db7426f038f12114770cd834e831ac5f61aa37348833f17715c0225eaaa409b70a9691537391b94752fa7a322
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD5d39d5a8f005cda9d9081e8466e7910e6
SHA189be85b26be3df0d467ed07c9b430b14b0e6a6a0
SHA2565fd6c970d197d1e72785a2f2b5f2f9652255924b05471f65c2e51ee2bc51245e
SHA5127ce23688935b2ca6ce2151361c4cb25175cb010eb9cc6a8db9074a8e334ff31d9c577408113a5ef3e21794d62a92c677e9eea8b77f60b56b05d5191712a3492b
-
Filesize
1.2MB
MD5509c88386ae0e7dba1156695b62178a2
SHA19c257c68c34c590228dc915f449081ccff914998
SHA256cf43cfd45bd7972b80775a9c1280cc3cf623e43149b4b21ed4a18bec0f9b7957
SHA5126776396598ddc4fb9c0974ea8ee9c40c85b3a398f06b010b05b7e2e90fdb786e4864cb92a976841b4daec1bc4839a974966ac883b9387119a0caecd44f30c047
-
Filesize
1.2MB
MD52ef53c7457f19b54b6b9c071597c1b8d
SHA1e4d73c7b7b066c3ae4aa739acc5f757ea27f2ca0
SHA256eea126557b4e4955f7d49713dcee217dba17fbbd3efa7ceb059d3f92f5927327
SHA512605d7ba9db8edf7c96604ac25efcf032d065b85b5010f8ba46a00acbfc9ca7a902467f2b61059ef06284ca26817bfb53500cf5068096d61efd15ba946e5659f6
-
Filesize
1.2MB
MD5a29a5025c079552cd3fe781ac34fb8d8
SHA131f1ce762533400d448bc6488fa789c914f95bb6
SHA256c7c3995e215842022ce2678a98422d8a617d2ccf0d4058d7ee2879f5542f3189
SHA5123c91e5dc6e1835e4dd241a8a2e2bbf9c4710818fb1e64987f0a990f6faf21bcc753553bc23a54c9dd34a6a76fc1b802910595486e03196a007effbb729646a2a
-
Filesize
1.5MB
MD5f5216088d50d5efe505e3624219026f1
SHA1c9c347cf9a52943f9de3e6790c5dca6204f18748
SHA256fd6045707e890ee2f12d461430a1f60dbb0c1c70c70e88040b1bd1e025f4d791
SHA512f06dfa187f30d7d7c71336e7058107845aa85c956b86148aa7cd8c15b2d6851c4e6f84b6de6df1aa0c231407c4c93ea3513f68483bf672beaec60e17c36198cf
-
Filesize
1.2MB
MD534f69800b9cc93f93fd2b19cbd51e451
SHA195a855b4b29aa8ae5c8f454aa31ceb155407bfcb
SHA2561bb2a8c2387293fe15e114fe9eaa3056c3ef5dfc06b647fa7b25463c383ff441
SHA51201fd1660b31f674c04274deeb2bb986072859d3b2ea9049330478f6de39ead517a93e55434d48edb61f3b8b56755d2f771beb9887e9c0b982a0449f0bf457e65
-
Filesize
1.2MB
MD53c6d9e114ffdd6392c676ef76d2b238f
SHA11c400fbdd4c4a6a1a438fb6641f0430e97489265
SHA256894a6aaa6e80990d43a743b8ab944f5beb633061ee39e04fd89986853d337174
SHA512859eec407f2ecdd7e0602e9c3c44b1bc5e109b90607bcb8c950c1cbea519da12e5fbb64e8288a62993c4d5214bd0398f304c83e1ca2295770b3f778755d49c30
-
Filesize
1.3MB
MD5a2f383e7f03d0c06b9729b5f2b379819
SHA1aa5710e193821d605bce88dea8cd4c863129cc46
SHA256fef5388ed0d6ac0dc51b47fb40c084fd9f32d70e7650123086cf5e30b40867d0
SHA5123c698e8bc83a28994184a4ae704b855e2ea826ec47600df4dadf590f4ce212a0b8360e6653992bb953f4b3897eea43b32d1cf6629cdf9cd44e2d373aa62b1dff
-
Filesize
1.6MB
MD5881cd2e3edaa4c5b676c28e9e9101167
SHA197a207f662d66cd66bc11d6e296dfe6ec057c71b
SHA25677fbb37faf8be38186959ef74a743609d103e8f1a0ecefe64355d57c4ab83e2d
SHA512b1003caa13e9a03b49e528826a2b4751e4c8bd9e97dd60103556096d98faa83b9a6af41ff3d161b94d2794bc8bf394ad46f5e9c0360da74f36d1908a449dc3bb
-
Filesize
1.2MB
MD562ce1503729641be1bf3d8d84caf806d
SHA11dcd32a8dbf7f5b72a7b6ade737c31606c0eed02
SHA256b7bb9bf49c2a1d5db500f32ac3411503ce7efbd3849a99905b7bcd724544ce53
SHA5127253564647d77b5423af954ed27cbde91a194f5728d5fcd8ad390d282afe4a1b07608c1b46cb3d778a95cf75173002937491de3df57e2071de1c3927b72bdf24
-
Filesize
1.2MB
MD50ec71799a78b1b3cab6e4a1290b92a85
SHA13d41c7c0d291b0d7a0327dcb85cbb4d31399c7a7
SHA25699a122e2eeb8adf7afdb3e8b0dd46dccf992a190d7a8e3e4c3892d8076b6f6eb
SHA512cef268831c1f344a674173a80935bffa00b3918771c03ee344e7db1f3ed004e94090083da08a4170acb821ce6b4a927c91c2b20f19507fed14e8777bcd1009d8
-
Filesize
1.2MB
MD559d686d69ae10402c539c370250fcf23
SHA193398570d8e6f1b1c739cc35bcb8ec9e89e881df
SHA25623457159da238754d90be73b05cc7d8f14fa7dda7c6c260622250162c579319d
SHA512621024f2a9c0cbff6a64ea416e1a5497723e44a618be8bb03d295240d4c3506f5d994e77d14004c47b1dfd134c76d1cfb4c4fe4724deee2a83e93ae8b20be866
-
Filesize
1.2MB
MD522ba4d895bf16bc9561434dda4f06a5e
SHA1ec87612e73b617593705a69738948b7bb4d41901
SHA25629a092596a2ade2629370de38b65354874facf591f534d708ea277a0f7d4bf92
SHA51273d00617d614a96297ef25a00ad2697de82136df156c580d83345c51e51ea7a13ce5d564757751569903fe072bedd9547b164f6e2f205301f6b6ebeeb2613efe
-
Filesize
1.2MB
MD5de60da3475aff4a8c7f6782125695aa3
SHA19f449a2fca3d405cd348ca927ad7602f86b9c04c
SHA256c330383b56b7b2d7a477751d0a3c5f046fb5580dad1d87581f3c1990aa1baf4e
SHA512d68cb5dc530add2e7a0ad09b285e54e271c859f7af3c89e4c6733681b2259d3848e017310a775bf92ee794e547bf5396a219802eedcb7c419b53c6baf169c88e
-
Filesize
1.2MB
MD517393ad59ad978ea4a547b88a2a65c1b
SHA157794b3535a20aaf670012fa4c6fd1af5697566c
SHA256524039c830fae4d7abbddcb0970ec51c9b7c9f474394510844d392eee6d318e5
SHA51258d9b6c5d59921bad0eece999055f568af0b9474dbecf239ddec777c20275cf99a6fc4613fa74b408d3f4060b437d14f9ad8bbbd28912ec0f92608ded18ff79b
-
Filesize
1.5MB
MD5583ed6653ca09b639ff027c856c0f5d2
SHA11e060c62cb5fbf9afa737b481b92668987fa1d7b
SHA25611020455ebe25b5732a649512f10ecb0b281185f0effce9de0406b8342cee5f6
SHA512ddde4d588ad03aa34e5ac2fe08f145ecc240c513d5bb4dc187db29c7ab3acd74f0b7ce3548b62e296c6ba610429871f2f1831df9099671994d6208f21dd95641
-
Filesize
1.3MB
MD5532924ccb33190ef0c29847666ef2b96
SHA1e2d794f7de262200d8a5e5cf805ee22d4a71069f
SHA2560cb2b902b0ab9bff262b5edafc3106c87f1edf9f79d1877043f570dca326ade2
SHA512b0b6ad76341a9bb008cde32a4071733e15fc53eaa1891f1b9bde9139ee4c5fc85a48ddbc5f86d8b33ff6a9ed5ba335fd477630b28ed0c23bd012c89f4b20dd1f
-
Filesize
40B
MD599cc49358cfa3628888247c84b312722
SHA172df90d4341e204b5d695a65f8f0575d75d6d342
SHA256570055b300595d9bee19cd486aec73f2e432043cc1a510b5075bc55da6b32757
SHA5121b3f0129c396f2e582b6e1316e622f9faf71776e5878c95e71a961e4851f9aa90b651f0e3c3d406602c79f377776df5c8353578f44673359088ba16998fd614d
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
945B
MD559d94133b299a521209ff6abc7944cc8
SHA11fd32d7bd7ce6c1922cbf1d9bfba764825a6dd58
SHA256bdd1648c5a559490f63c7f4dfea70c7910cda5c5a50956f7e635112022fb1a5b
SHA51253c09557e20ce3caea9feecb584b2437827295d5ba1228d69e4c24103b45456e25ed9646092bbc719f2c3f4de1031424cad13b16bbce292bb912c39b064e3850
-
Filesize
371B
MD50cac178b7acce95dcdf48ccb7b24ffa6
SHA1e1e017f2f57dfab1dbec8dddd8ab50f24f0bd5a1
SHA256c8b4a7a057127142972ed7d9716a07bbcbe0f1d793947912e53a4f327131be3e
SHA512366951343e06485a1d324a83f86f5fc1e0228d018c5579c37a1d92cc9038acfb8275e8ebb25a0697c6e21486e1f8fdd922b8d11022330cdd4a45d9f730f2dc44
-
Filesize
5KB
MD5bfaf367ef16ce0d1b955d7f574b00ec9
SHA19cae9d6d20d0fbad03c6bcf3ce5929b372cf1916
SHA25620d74243e0388f9475d17f760cdda910c6256af714bbea252c772d0649e12b13
SHA5120a62f2279ccc7c107af7cf881a93a74294de9c403b2699989e65ab869eee1ca1056b58b7ac6942abfab1b97c0ed4eb277e1ade7108a245daae1bdeee41648802
-
Filesize
4KB
MD5cd68bb31fa87d9489e311cb85ac281e3
SHA125b53ac1935db6b2a6cc6271576c9f0590f98fa9
SHA25616a336e04526fb5ff954e7f6d7bb3e2f861e0f9467aa727453e7dca35bfabd48
SHA51297fc135b4124cabc2ed186995fee047a96e4cb9a2521101800f7102b31e90386b0cbfcd040fedd31e2700ca8151a1955242be30f0a6c231f3b4e499a7354bbf9
-
Filesize
4KB
MD5880d29c16df016558573ad68f0b7fa5c
SHA1db4b4f2bcdb23cb6bd4b72dc778d7054afe75303
SHA256507263f4664ec33a2537dc68536cade5c1552031e372c48f3364bb5141453dda
SHA512b529404d00f4c8bf008a43abef0464f561744a03c41f3c012fcbd2c39798cc5981f4694a6412a9e93f6c04c089382d8c7848be5c42d81c5df719c00909f2d96e
-
Filesize
2KB
MD59789813c7b351abcd4b4cc4821874f82
SHA13c3839cb1e6fcbd66f3c6dfc092f3aa49c057c03
SHA256899961eb96b3c34c8a0b0bed8f6e6d81c5979592af5cc0144590b71e394bf7b2
SHA5129c8dce395a863812d3b050b5068e97301309e46ae0c69f6ee0f8539f3dd453d269bfe4865d4afc6a8518e4b85ac49f8901fc937ca19da27a1e5bd178e3774a76
-
Filesize
15KB
MD5fae2c59a63fc6b09e13136902ac98d14
SHA1730dc6d361705f04b9169ed041da07aef32b34d3
SHA256e4c85aca377becd6a5814280e05995d633d07ea88af243ed1a3de39985c11fd5
SHA5128b853dbc6e9f8125014d2d406a82746701aa092724645bb2d8b0feda0cc1f284895cebdda7684177a9232b0f8e22b384f122233e92c5abf924fbc0b6e36a418e
-
Filesize
260KB
MD521f34ddf1d5900de2e4fd69c27bbab06
SHA1f5043f763cfe94439b52b4a655adc941b1439267
SHA2567925f2bdfed2caff1e2fb96274ba3865cb164380521db221428b3343de93e75f
SHA512fe8b5e94898b08da8f359b64621aac24be52b64c6d3558b2810d089e2d2dd4dfc866da2edb5dc9d7a5b63a5d72c4133124e2bbfe8bfa6f77b1cdf54c149d3f7c
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
7KB
MD5a9234ad8c21c8355a193e81c6b5f4c8f
SHA17743e4bccac6859e9ff2ec0a088947080003a83d
SHA256df8056bd81f858ccfa23d222e53b925d775eaafae422a82a6704cc5bd1aba198
SHA512acf3973e0a56b82e578fc653cca6366281a6328fe7f1d4ecc65b3e6bfae06d60768fd479699fb83a1eaaee6dc0f323b11174877210365d7c7417aa453884afa8
-
Filesize
8KB
MD54bf113c65a44875071f686a2e4bc37c0
SHA186af661d47a308155a6373e363c10a43fdc2c0e9
SHA2569a53c8ca113e14119cfeaef8e964058cae6087daae1c09052783882c96357596
SHA51245533bcb8523e9df86992c38d20d82cb0ea4b3f3a5a69717777ccbf350cfbde8c3846c27148d0edeeccb84cb3061fdbaa41aeb36ebe2885016ccb6d06c655b66
-
Filesize
12KB
MD50ebb874811545078a1a6aaa301d72a36
SHA164efcdae502dee5e38c378e5e3bb3f893b6dace3
SHA256de01ad7524672ec1f3d7d16851610a6998d26542911aa6b1a46bd5e9752f2873
SHA512088c71d3a3cdcc72e95146d9072db10e5e1ebe143a41325c6fd5f83176df016c8f57873426c14c890e849d08af739fea02e144e7f218fce80533e166dfba3440
-
Filesize
1.2MB
MD563dc473765b76329ce28cca9c99c067a
SHA12d22e807871daee35aa47cb50e27fa73e442af8f
SHA2563a01126b0c94566086baa0fc3dd61f1f8190973f6433fd59bbffecaf23863b27
SHA512025e77770e74fee79cab9c3f27167d21f98baf8cec8f0f7ba973304fba73f5f39613a6720be9402607484ba08a7f0d986c14209b1b29ed4e938f378bc8e4169d
-
Filesize
1.7MB
MD5dab66f8f4ea55f274ec1d2739b445ea9
SHA18354d27ba62556a669c5b69c31d345632ef21800
SHA256ceaf3d275bd04f61386f579983d4d84303dd2a054d52de254087bb089327bbf3
SHA5122a37deacb3d705fe8cae16f8eae982a3764dc00bfb799ca58f215e51b25b631fad41ce45ab769511e1648e379a8cf46a7f6c4dae899d56bfbc0a4511b02beea5
-
Filesize
1.3MB
MD51606f24197c830ca55003020ad02d91c
SHA1d3b7c0e7392b5597b662a23d024887d2f20d0e7f
SHA25634051a7216503129a08f0c85e7ea05e801dcd089cb58eb0a867fe425c6d41aee
SHA512ff9b03089bb174811a3d1ca040ed3eaf7018ce907c480af57ed2cf9f970e26950b49c399058d17f17f0f87088e1fa43aba60bc4cfee57f10e448455dc4a97d9a
-
Filesize
1.2MB
MD5360b3a232dd89694eea94a6f5d51e5a8
SHA1d99345b1b6062b5d326a281f5d986f380fb65959
SHA256ec84a1957e0414687d3e27f12eefef579ad311e96c0b5d575e264deeaa4f155e
SHA512ddaafaf6aabd158bd1a207883fd480029b947288bf866758e150f7cf78c3ddc5e769bbf751ca1783b7b53f8f61d14d1a28fcd6443f89ba48e0b5bedfbb5233cf
-
Filesize
1.2MB
MD582910a28dfcb646154317e90ad785a5f
SHA1dadaa087be9bb30d5550e7bd980f022553446d62
SHA25682f45f7c5cf669f3830103afdac1b765c2d6d38f394f5514ba32ba7a3b4600e1
SHA512bb63a8851488c44da367208edfcc75623b4cbb7baea1a2eea9d199e2eec533aec123f4b8cb964b16bd8e28d6f54da102046d6914a74447bbdc38e5867a979b48
-
Filesize
1.5MB
MD57bc4b42f6f6a632f09b73658b6427381
SHA133e2fb30953eec756827508e164b3f7b9761a6d5
SHA256f0d107d3100b567ce0ac41fce0b8404f74584d473f3b5b3a0f909934545dc619
SHA512c7352adc45d158c1ae98f7eb5d055ba5f0079825c57b2ffa1a2bea10b6998d2336660ab7d251b4dc541a36f3e731e26973b0516fa0560e865bc59a3440b7b59a
-
Filesize
1.3MB
MD5d74168904ab94e5353b7a47d36714c75
SHA11b514b025109695210b3e45e2828d0736e106708
SHA256f473894c2ec033685bf9960d889f4d96a09f5c059412da4a85d16dccfcc505f0
SHA5123c1c437d09ef95406d74cce113d24c060677c3230c775e802cb36f6e4987ff9f3791d15d19bfb435c403c0a00e82c94808db8401237ad2798b4d778ee85de9bb
-
Filesize
1.4MB
MD5f5325867fdede938d3b9f75e083d9bd6
SHA1f575a5a838c473a7a593abf1328e9066ca683c0d
SHA2568c64451cb686eda593c13431959f41bd0bfa170eb7c599ff780a3cdba0e22541
SHA51285a3b4ee569ba88e648f9896c9a8de052ccd5278c9f52e1f0d607f4c6846dfdb00139bbd61cf01dc780ce0cd17190561743588b3b520e2cfe57659b816fd3b74
-
Filesize
1.8MB
MD57ebda47c3c979bd7492446c4eb036858
SHA1c6d0342a7770fa64de8d0f6c8bf69c10abd2c61b
SHA2561f6115c5afeb410a281da8dbc60598ea98873cfccb9d098c0eac6dac39512a25
SHA51288ad6ead53ef2f5da982ea3bc3be960ea853920429eccf886788b7a0827ea41c88085ab7fcb5bf0c7159ee51ba32cab4b96866ff5356e60cdccebfbe9415eef9
-
Filesize
1.4MB
MD517334b9c305015a74c8cec8b45581190
SHA1303782eadac220bf869da755bd53a6788051d2c8
SHA256228282d6af7052dd89dbf3a8d2fbdd0ce757d48fad41f4223e3f8f2c4f899b4e
SHA512584ebb5fc200c6d54506c542b81a35b683497bf417a3ed8f6d1345399ecddba54433f4c140493876c0f8df8f3c9faf8d5d0466aac3b7199ab11302f2f2d264f9
-
Filesize
1.5MB
MD5241b5e832a4be51d735129549f4b4ff9
SHA144859dba1361e2a154ceab57957e81d1d329904a
SHA2565b663d10505982d3bb90c40e788973cec21f141c49f8aca2c2543bf67bb6b283
SHA512130cbf68e3ad1ddb5d866da30ef4f7d36990115eb0bcd3b918f4456ec143f9ebd590534b85f5d27f2458a304ca251eeb4d65adb7001135779fa70a4c1383a9c2
-
Filesize
2.0MB
MD505a28b300f825a8a4e05fa952d238ce8
SHA161c0f1fdae37d280775d6f4c5fbcd920b5761692
SHA25600859a00844f60e0617a1d1a2b885a6c4fa1bea883f75e8bc486efb0fd38ec86
SHA5125f5df0c9404141eca602deb7e577f62d947104e6d769aad38f779ac3bfd361ebbab2332a94755da73dcce74e696f7109cb30701a42deb3613fdf4295d2cd8b08
-
Filesize
1.3MB
MD593b20bd5501b62d9b60bad7ebbb25078
SHA12fc91cbe6580844e025b9d66bb27b39bee4c28e0
SHA256f3120fc2ab773afebef6c37e89c8d6394630ed262dff4757baa93d4e5177681d
SHA512e6a119ca8b15e145120da3863a5a766560dc5429291f6875dcde2f6b12a66d40683dcc2bda2141b34ddb861315a595213a3c80fb40d021af5fc9e73a78b948c1
-
Filesize
1.3MB
MD55314cd9be23dfdecc44856cd24c3bf18
SHA1d61e2edeff41bffece9153df701cb2da74ef2b6f
SHA256e87241dec9465625793a2e3ecb75c5982c71ca5291ea9cb4aa1a29614b6714f8
SHA512e5807cdacac02c81bce8be70ee2099c9748d1b3b0b8f68e6ca990286063f0462cac95f25e3e1d4ce76597b4edbdda4bd6916eae500318174db3a108fe96c5623
-
Filesize
1.2MB
MD50c5c5267f6d5df3b432d7a34cc75c07d
SHA1b1f257b18f60f9ec9e1cad4419e5e5c6e823ad52
SHA25616e2a7068c4caaa8c65b77ad2ee6b7147418fcef6cb3a2886a310d5b8409d8ab
SHA5127e7e60a6f3dd21bf7b234a237cf06603228148155ca613a65eafb9eec94840eb84d8a253c433c106ea6fe5de0f03a98ea75bcab8ec331c354f191d0047fe2fd2
-
Filesize
1.3MB
MD5fce0d065e1e7e9bf68f9c5dba111e276
SHA1779561a80ebdba8bd4d893accfa57f046240992d
SHA25601c945304c7764762b514561ac6a8501bb0ef5967e1f03bb2970b1b6e25ad227
SHA5124170a6073cae24042c3408fda785871447953535be9e70b7b484d9b2f51846db42f07667aa2c9a62b31c456cd0c7622404ea73fa8924c0ad36cfd7d1b8dacfc9
-
Filesize
1.4MB
MD5c1005780a94c3840ab6bdefcdd5d98de
SHA12d9e88726889f4ee752e9db1bb55c76cae5760b8
SHA256fbb1800f67931b282f89ba0f993c72c6ab9102ad5d93e9fd686d77e17e926abd
SHA5127bc64744857ff50cb9f2ee3465f200818044dff51e06a68664f9a4e9ebae6122ed2c19071cdd11ad40de84dabaee626c326eb7488172a1f542ceb6190d60d908
-
Filesize
2.1MB
MD5bab186b416f28649269feeb9a37bade1
SHA1884689cfddbe267cf5f2164f6ddc583b0089eb96
SHA2562c0e6ab7c57200f5ab5b4e7183763dd47b4182f6b252cadd3d53671894883a94
SHA512e72eccef901f22d57b0849b7710dce36247ba1a0923ff98d3ce4fb4b87e0bbd30296a36d97e5fa90dabfd7ad9cfa2acba662ca40094fc7b2dab9518cd3bf0c79
-
Filesize
40B
MD5a57e00e7b64144dba402c6db0f7ad149
SHA151a33fa8f038784838ba3a6c0fd16cfccf49de55
SHA25626345f4eaae9348eb9da6a4c6101dc723a2cd58c0f15d93f5c1ee628b6957fd2
SHA512a9d626fbae4b1da4d41e75520ebb2eee98cd2a4b9dfdf5f264e574b61f1acbf34c0bca6b1d3e1212ce37c8935a50817c47539b03030e1665a7dcc3a18dffa739
-
Filesize
1.3MB
MD5965953437e522de4e673f02ac70055c6
SHA10d776bad097d2050923608ecfcbfc625bf8dfdb5
SHA256f680d0cf326047bf290d881167cc7e6d9729f755c3924b8be4754f0e7c8634d0
SHA51257c5c0ee3cc9da73f9f9465b09e39fcebe8c7a6d073906477f471d54921cd98ea12567c63925f3af0efdfb6a740ab6f93bed810070f829669866b5d6f99a2085
-
Filesize
1.5MB
MD5d3823a6e307d95963df6c452f2478957
SHA1f97cc9ef4cbcaac512a82fb8b4f8333f1a8da944
SHA256d94d8465c1e92917d5e04c76c1658da7d8a30769f995c881f946cc41c0779c60
SHA512d074e2ffd7ec1d7fe75ad8c4a0732b5eb64f928357c98a1b50cb9d166b89250e5c25ce6b0d1bad0866d5febf376e3234181bbace1aff7fdb6dd66e996f7f2f15
-
Filesize
1.2MB
MD5e22096e3613963ab9381da50a5225cde
SHA193566d77b1f0072aec87d406143f8db76d281766
SHA25683625819c9c68dc6706b2b69c4f71b3393817b40990a53551ea6f5f9ac1e48c2
SHA51216a236568c86c4983e25c4486179338450ec3c9921028a475d8d8d82a000f7ded20b3db16f2a0f7a0a6b985a05e5d8c1066587cfe090475f51efa2d2cbf8af3e