Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 19:03
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe
-
Size
5.5MB
-
MD5
fdc74ca202b9381e6eea61dc22b5a31f
-
SHA1
c636d926816d6c2aec766dad61b031bf9494c867
-
SHA256
af4b5f5cb78dc3c8bbdb25e98e484b1695f25ca5257640ca5e763c58b13ae2d5
-
SHA512
6b3463c2cc2007a6c8143ea67cdba0def0ae490a1c54147c82f3c74c877972da241536ace5cc5974923cfa6abc279af2519974da256e54f28a3615bfb949d50e
-
SSDEEP
98304:uAI5pAdVJn9tbnR1VgBVmzU7dG1yfpVBlH:uAsCh7XYKUoiPBx
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4736 alg.exe 1408 DiagnosticsHub.StandardCollector.Service.exe 4044 fxssvc.exe 4556 elevation_service.exe 3312 elevation_service.exe 2100 maintenanceservice.exe 5024 msdtc.exe 2136 OSE.EXE 1564 PerceptionSimulationService.exe 3344 perfhost.exe 2836 locator.exe 1472 SensorDataService.exe 4148 snmptrap.exe 2284 spectrum.exe 904 ssh-agent.exe 5336 TieringEngineService.exe 5472 AgentService.exe 5620 vds.exe 5728 vssvc.exe 5860 wbengine.exe 5964 WmiApSrv.exe 6100 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\4b882c7412d07ad8.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\javaw.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\javaws.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\java.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{90C18CAD-5F48-47B1-8376-0F604ACAA84C}\chrome_installer.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009363c7a8f985da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024a708a8f985da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ec6aaa8f985da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f178bba8f985da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042cef0a7f985da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d26b0da8f985da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000117a7da8f985da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4c96ca8f985da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133566446066971732" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077f5f7a7f985da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 1236 chrome.exe 1236 chrome.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 3516 chrome.exe 3516 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1236 chrome.exe 1236 chrome.exe 1236 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3264 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe Token: SeTakeOwnershipPrivilege 5016 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe Token: SeAuditPrivilege 4044 fxssvc.exe Token: SeShutdownPrivilege 1236 chrome.exe Token: SeCreatePagefilePrivilege 1236 chrome.exe Token: SeShutdownPrivilege 1236 chrome.exe Token: SeCreatePagefilePrivilege 1236 chrome.exe Token: SeShutdownPrivilege 1236 chrome.exe Token: SeCreatePagefilePrivilege 1236 chrome.exe Token: SeShutdownPrivilege 1236 chrome.exe Token: SeCreatePagefilePrivilege 1236 chrome.exe Token: SeShutdownPrivilege 1236 chrome.exe Token: SeCreatePagefilePrivilege 1236 chrome.exe Token: SeRestorePrivilege 5336 TieringEngineService.exe Token: SeManageVolumePrivilege 5336 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5472 AgentService.exe Token: SeShutdownPrivilege 1236 chrome.exe Token: SeCreatePagefilePrivilege 1236 chrome.exe Token: SeBackupPrivilege 5728 vssvc.exe Token: SeRestorePrivilege 5728 vssvc.exe Token: SeAuditPrivilege 5728 vssvc.exe Token: SeShutdownPrivilege 1236 chrome.exe Token: SeCreatePagefilePrivilege 1236 chrome.exe Token: SeBackupPrivilege 5860 wbengine.exe Token: SeRestorePrivilege 5860 wbengine.exe Token: SeSecurityPrivilege 5860 wbengine.exe Token: SeShutdownPrivilege 1236 chrome.exe Token: SeCreatePagefilePrivilege 1236 chrome.exe Token: SeShutdownPrivilege 1236 chrome.exe Token: SeCreatePagefilePrivilege 1236 chrome.exe Token: 33 6100 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6100 SearchIndexer.exe Token: SeShutdownPrivilege 1236 chrome.exe Token: SeCreatePagefilePrivilege 1236 chrome.exe Token: SeShutdownPrivilege 1236 chrome.exe Token: SeCreatePagefilePrivilege 1236 chrome.exe Token: SeShutdownPrivilege 1236 chrome.exe Token: SeCreatePagefilePrivilege 1236 chrome.exe Token: SeShutdownPrivilege 1236 chrome.exe Token: SeCreatePagefilePrivilege 1236 chrome.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1236 chrome.exe 1236 chrome.exe 1236 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3264 wrote to memory of 5016 3264 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 85 PID 3264 wrote to memory of 5016 3264 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 85 PID 3264 wrote to memory of 1236 3264 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 87 PID 3264 wrote to memory of 1236 3264 2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe 87 PID 1236 wrote to memory of 972 1236 chrome.exe 88 PID 1236 wrote to memory of 972 1236 chrome.exe 88 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 776 1236 chrome.exe 94 PID 1236 wrote to memory of 4836 1236 chrome.exe 95 PID 1236 wrote to memory of 4836 1236 chrome.exe 95 PID 1236 wrote to memory of 2884 1236 chrome.exe 96 PID 1236 wrote to memory of 2884 1236 chrome.exe 96 PID 1236 wrote to memory of 2884 1236 chrome.exe 96 PID 1236 wrote to memory of 2884 1236 chrome.exe 96 PID 1236 wrote to memory of 2884 1236 chrome.exe 96 PID 1236 wrote to memory of 2884 1236 chrome.exe 96 PID 1236 wrote to memory of 2884 1236 chrome.exe 96 PID 1236 wrote to memory of 2884 1236 chrome.exe 96 PID 1236 wrote to memory of 2884 1236 chrome.exe 96 PID 1236 wrote to memory of 2884 1236 chrome.exe 96 PID 1236 wrote to memory of 2884 1236 chrome.exe 96 PID 1236 wrote to memory of 2884 1236 chrome.exe 96 PID 1236 wrote to memory of 2884 1236 chrome.exe 96 PID 1236 wrote to memory of 2884 1236 chrome.exe 96 PID 1236 wrote to memory of 2884 1236 chrome.exe 96 PID 1236 wrote to memory of 2884 1236 chrome.exe 96 PID 1236 wrote to memory of 2884 1236 chrome.exe 96 PID 1236 wrote to memory of 2884 1236 chrome.exe 96 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2dc,0x2e0,0x2cc,0x2e4,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc26e9758,0x7ffdc26e9768,0x7ffdc26e97783⤵PID:972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1888,i,8139003985619677151,3583325621310268436,131072 /prefetch:23⤵PID:776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1888,i,8139003985619677151,3583325621310268436,131072 /prefetch:83⤵PID:4836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1888,i,8139003985619677151,3583325621310268436,131072 /prefetch:83⤵PID:2884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2812 --field-trial-handle=1888,i,8139003985619677151,3583325621310268436,131072 /prefetch:13⤵PID:4308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2864 --field-trial-handle=1888,i,8139003985619677151,3583325621310268436,131072 /prefetch:13⤵PID:4024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4616 --field-trial-handle=1888,i,8139003985619677151,3583325621310268436,131072 /prefetch:13⤵PID:2304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4992 --field-trial-handle=1888,i,8139003985619677151,3583325621310268436,131072 /prefetch:83⤵PID:2344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=1888,i,8139003985619677151,3583325621310268436,131072 /prefetch:83⤵PID:4424
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:4552
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff66cd37688,0x7ff66cd37698,0x7ff66cd376a84⤵PID:4488
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵PID:4436
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff66cd37688,0x7ff66cd37698,0x7ff66cd376a85⤵PID:4596
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=1888,i,8139003985619677151,3583325621310268436,131072 /prefetch:83⤵PID:5256
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1888,i,8139003985619677151,3583325621310268436,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3516
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4736
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1408
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3884
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4044
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4556
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3312
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2100
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5024
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2136
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1564
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3344
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2836
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1472
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4148
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2284
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5144
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5336
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5472
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5620
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5728
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5860
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5964
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6100 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5528
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:5708
-
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:2344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5d28bfc4d23a1023eded9e4c62e4e4cce
SHA1d371c1b5aa15588a45507dbd9c71c77b18699fc2
SHA256d6ad1858d689a77ba63d0eed06bebbc86e92b4e2e628a13eff7dcea18eb818ed
SHA5128cd8e132a40774f9ef603869fef6fda56df20761de650d3aa0eeab83e3f240849e4b69035672bd015939dda35048a07210ff12e6e2d1780e2e086dcd5dcb24dc
-
Filesize
781KB
MD5581691de175938cd0ead2f4179475d75
SHA1e6312166abdbcb9d686326e995945c72afc60cc7
SHA256414e4f7c9b5c1eb4a3f53fc52180ce0ffba522b8f02300778f9721f69d4a26c1
SHA5126015bd4401560d5bd651e0e938f0e1f2f8c2cda62d877f1c51db462f6045b633d9c5c82e45e6039d9318c6bd6afefe4cf3f88089a5242d77043635c521258adb
-
Filesize
1.1MB
MD5f210350a181644235c7f258418743726
SHA1ee1d5c7ccb0bbe33653576112f6971b719d1ad18
SHA25610a2d947f7607090a535b727ef331405f60b3337ed80ea9c163a5e94177c5b6e
SHA512a3cc2feb73ae92d61c2370fb47afc31eaea5fe1ff14f79c9bbe844f8cd17f17994fdaf21bcb272976432a15e791a5848ee67f0de88b7f6a879fcdd1810e29a4c
-
Filesize
1.5MB
MD56f9632a7de176527710e8a3308724568
SHA122bc884dd7c4cbee5e0cfd7cbf4815d97fab906f
SHA256688b69e799438b6ac8c6ca47adac9cb5d48aeb3812dafc3619f9549e36c749b1
SHA51259310a019bbdf982986a6bbaa893049ceb338c379f177d83af9b6a1fc462718e594e964ce05ad70d025570d9c7592243ed4c4c8508188a472d14c84e7c76edd0
-
Filesize
1.2MB
MD580cc24f3a4e83a9fa3c795bc2af652b2
SHA1f4c0b519d3a84926f488af802677da02800d1173
SHA2565d5a2b4dd3851f6c2f33573f426480753b5a6a56e18aebf1fab2a2f8bf8a8364
SHA51215efca2571d59f19a8f319a08e78af756c4bb63b7caddc2de595f4375e83e0604c74f5a0c1fb17cf6e3da002e0162ec303ebaad32ff9d668ab8bc8bc9babc4eb
-
Filesize
582KB
MD5e5990a28077518a6019f048b73c9744d
SHA1070e17fa8829b300a279f5a956cc48e3e66ef7ac
SHA256fe3f440986fa4a9bd2168a75d929837a46f5e0bc1eab26af7e94138b5cc0e69b
SHA5122549cd0701fb762b5982ed2a13e8a657eaef2186d0586d53225c008d7dd8b0c3d5d9c310b69d6815fafcf82754cbd45031a6739498c893607df768ea501f3cce
-
Filesize
840KB
MD528b850bbc60e888b0deed23e4b4f1791
SHA1f44117a988237db3752c2d7d65473ac24587f685
SHA256b365420b35a00a5c9c6e35e2452dc76854edb8efbcb5385fb5628037a4b69c40
SHA5128fb657e04bac7568f6493fb1eb637b9b79cae61d25b52b96f28ca74719d9b8cc79762cee00079b015bfe29e0cfa6fefe7f166226d7a0548b31cebcd579d54e60
-
Filesize
4.6MB
MD564b383883a65967f9d709f71c790c47f
SHA161dc4b8c4a492cbc67c3fd11e3abd4bf70d7279c
SHA256251dfabac8f94f3be8fc7ae1ffc69a3b9bc59c03cbccc86f5a3bc153dbf8a692
SHA51235bd75e4294698d5b851b6467ab68e7deaa17367746be2e71e55fcb8fbf77c5efbf00d34ef6ae63edeec51563830a1608436c128606c57a2bc80b44f632c9c39
-
Filesize
910KB
MD543e17f0a922690b67f6d2e8c35cda493
SHA1d3bd6476939daf24711e0d96599912db2c1a4493
SHA256c0abe168ae65afa8cda82c40321c2bf74356592f9452478876402de568729e84
SHA51296217a6f7fc4ee0d0aa71f5f384eedd1ae5e1eba73f8f733a0fdb714908a348110823c8b9c02fef5d45f2a141eba24a9a758fd9f096c4319a3c894914044356f
-
Filesize
24.0MB
MD524ba4a923e656b48f09129861b00d87a
SHA132443248844318b2fae7eda0a4bca2dc758d4ba8
SHA2565105e4ac3a39dfbfe9b35955dc3e42ab7f579efba4e9d247af7b0c9d27caf627
SHA51228cadc00321fc419e7ad81afc0ac7c8d6a152451c6c3a883e2fa863f7b292bf8434c3886f724904b20625033e4d5a840c1086a5021f635e2e7ecbaf581b4034d
-
Filesize
2.7MB
MD5cf3cfb5d916a5bdc06ec2efa091a35ed
SHA176a045a4ff1c62a87fc28e1cf3b6dadaad64ef24
SHA256a9d2c6a24bb080609ebf83ea89ff7bcdad886e3976fc0f39adf57fec0e4937e4
SHA5129de171996d8ca1e6382336d018d87b8f75e83a0fe671f111dd1a9b4e08d2895340c5dccabe74066f6acfbf157ee95a25ca89b0ff7c8f485109482f74006ccb49
-
Filesize
1.1MB
MD508d79b9b6ec0b1d2d28ff479fcbd18e2
SHA1f1ea4ee71d53801588ad990070d6c71568e08cd5
SHA256310844c867454fafa18dd5e938bc1884a1f547df5182b45760b0e456c41f6477
SHA512570db7e66833216ad6aac852575b79d6417e54220864db6d42a9a50fd17514e9e7adb7f18f7d1dec9f7c39c26a665c5a48787a3298908be93ee4c5fec78dcce0
-
Filesize
805KB
MD55e3b08e447af9b1a1f527228bcfdd4f3
SHA140e3f723a2ac1752d952009884bb9617d07bed12
SHA25618b9bddaa220d37393c1f67c3399374d155916d172367df49aec3e465bd84537
SHA512105ddbfbb86c0cba1203c51908b0d19422d212f001be711d1e50e7a94f3d643cff8fa06c440f93967896a51000977f667275b5b23744c247a9f2557786911acc
-
Filesize
656KB
MD5793f3d6a2247dd3ebe933e8fcd57a584
SHA1001fb7572f078df06aa43b95e7300b4e8d97d7b3
SHA2568f6ab8aa122512a15bffae4f1715f3c67b3043dba5191405d5c9619ca9e6ad7e
SHA512a546eb44110c0253e00e3c1cfd4b92b242898b06323089eebc2e89f355ce9eaddfb368b7661d6107bc7de8a2bbba350e4c4415f2df7cdaad9775647b24e96220
-
Filesize
4.8MB
MD571c69ac343ffacffd9804cf1d0a4a5c7
SHA14a08194d25f5a9bd664db5f9bd71198c18a07de1
SHA2566f21e5854108193dc6155423ecae3c3f641a390279db8f062c9cc4e54e00d82d
SHA512e7732ad8325e30192461658f5f20651fe1dff298745c6f2e2543b63d79df1a33f231e69f916bc216bccaa69efe7d4d5e23a6f2390ec274cfac4e10a87ae2fdbf
-
Filesize
2.2MB
MD590df5a8e53a7f0000698372f2ccc8cb5
SHA101eef22117d79409a3c25897219780ed818446dd
SHA25675795d1a2e2af14fc54afe37f962b57d9f022308df2446becb407db14374559e
SHA5127507ab8ef1696ee3302d535417a6b0c1022a7cb90b91cd567760c08e32133d2fca2fde0ef91f58bcd4e9eebdb2063c746209e767611e9ab4ec57a31b33ac106e
-
Filesize
2.1MB
MD5190874d7cd04953976ab90a56c930e86
SHA1997cf9afef37a277f96d4e749b702cd2c6758a3f
SHA25672aaf9c6156796d22eab0840e8b452fd50a9da014c283662391d51daf530d664
SHA51241a7d8296dbc4c7023a9736650f3ca6b95511b4ca0484423fec700398c8aa0441e8a26741ad59064952b1eab3937752273535af06b88ce59eab11c8a024db24e
-
Filesize
1.8MB
MD52d30e7ef73c15b7f143b1dd0da137347
SHA1ea9a2eb02db8fd49ea0700d816310aa58307a26b
SHA256b9432a762c913ddf75de1e4a44fae60674a5add997f806276239f9f5651ddfe9
SHA5123888fc397b3765fba20053d3d3dcd2d603362ad096c4d8efca25563fc1c0f7a5dc28671966d86d4ae5a320dfaf54f7784abb6a2ea930a8713a5cc0cf726262a1
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD5330082cabaef426e061359ecdec116de
SHA16fd356f51bd87bde56e6083a9fb71ec3ebb51afe
SHA256e4b607c1f58e4fabf2e49b2efe22e43c4abd52ac13408c2a22aee02bc9500746
SHA51207a7a7168b3f86908d9c42791b59df37c403a803dc24dac3c3f2dc76672899f4c870cd75a67d42b467384a2900c19f42d5ca0b625bc52d016b0bb4710c2d4969
-
Filesize
1.5MB
MD57115a69e22814ee82d016d801e7fd5b5
SHA1bfec277d8e20290c0374442fa9b0b9d7a2af5a12
SHA256d5c848924252b86e8dfec12355af21011f70b1dea7699dfc7f19e61feb1360aa
SHA512caa36c28b6d4288bd7f1a33a43ed8f9fe252bdc402758f460995e09537c8718ae93a40a5be234be87e331ad7b8725b279eace67a3154770cc203ecfaaee0f85e
-
Filesize
696KB
MD596ef4d44d4d21b1df6687682f3d62e75
SHA1faf9b37fd1af4fea04eb979bf4884928a682da83
SHA256c92ff2f076098f5139d9decbf0dbd6043a22495ab292494e4b751de2e895395f
SHA512cfca25d4b21adecc58295ba24153c2ab655abfc164cfc150d728d4aaaefef96b0fa85dc21ede88db236dde4201c7a7cbe9a398615a739bc24c883d59538a9498
-
Filesize
40B
MD599cc49358cfa3628888247c84b312722
SHA172df90d4341e204b5d695a65f8f0575d75d6d342
SHA256570055b300595d9bee19cd486aec73f2e432043cc1a510b5075bc55da6b32757
SHA5121b3f0129c396f2e582b6e1316e622f9faf71776e5878c95e71a961e4851f9aa90b651f0e3c3d406602c79f377776df5c8353578f44673359088ba16998fd614d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1bbe746c-9023-45c9-bf9a-1b8b502d522d.tmp
Filesize15KB
MD5ffe0e85c654036c6b07745c2691f9c74
SHA1e6dd72eb2458ef7f8857c1a12e7e941901e2ce71
SHA2564225fd4bd4d948c52bee22a65e93adbf2870636a768a1d3e44ae2d01a461bb73
SHA51268b0c25e5e0695ce763385ccb161aa59a226d9c086bc0c7f68ccc2040599d8a34fc5b4a15784d418e94f58839a9ff3d074d7a5ef3d0d61c784d08f8536d1b875
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
945B
MD5018885ee37aa1f078346a48e48a62a95
SHA1c612126b1f9d978151cdd91b5c2291c7e73b4717
SHA25644a6b4ba4b8ab02810943794e89c175c3f04513517a84cd2743f5e53413ae1cd
SHA5127fb8e3a93a31f374d056cd9663f1a4c690fb0b519824b91d254a0ececd4e8e43f369f2c1c965bfcad2a36fbe3b950fc2e6ef0ae56ff5eb3f15979f3c0d7f9ae3
-
Filesize
371B
MD5287cfb91973e38dd1845afd538e7e6b1
SHA19aadc0a629d2471f9bbdcba213349e508350ed3c
SHA256536265203720c83149b81f082b2cdda349dbaaf778414568b045d9e016c44cf7
SHA5125e4565f339045a78cec3269a4ae24de7adbf679860acdfdd94dfa255d3621f81963b4faa0fd2df1511b94bd206361fb1fdb97abf1031279008f621773403a1a0
-
Filesize
5KB
MD5f35ec20f54fb768ebb60334ec5243e27
SHA14cf66da7627f22aff257c4657890f24fc7342139
SHA256079cffaae7c6e2a60f97fc4fdcacb02d4704e478ee5cd18cf0940588bb10774b
SHA51208c342558c467f40846319c50178f9fbe1e61e45309bf2103a72277df1b5943896fe51352dcb255b4b0df5e6b57e64ab4f4ce0ab27d3ca8b9b7898694db31b4c
-
Filesize
4KB
MD5f20cc58f80e6b99d52ca0502d8322756
SHA1a1533a3e428dbaec98441d0013122e895dd0baaa
SHA256cfe87478296d572bdc16b72aa453b6ff6c775857ce1d5ffa6959ae23567d2036
SHA5120e5873341d8f34390fb7751bc9ada4d343bba5b7b96099813fd7b33d8b2d4bb818c68c239fc609cd7a1eb76b720c8ac3ea86588e0a3621757443fd6e73e9911b
-
Filesize
4KB
MD548c4200623ffe24e138fafb1d67272f1
SHA12342772bbe5e06b0d5fbc83dda345bf7ff37ad89
SHA2563017a538f6c1b1607716f25b39fdf514a7724399c681ea30aa0bcc17c1a9effe
SHA5121b729de1d3996f4233c983ba5b4cc356652ef8b877eec7796b2f770fa0d4a9ec5576d1f615cf9533fc1c18e21076711af9a12c0c25c647f9c8c38d2f628e114d
-
Filesize
2KB
MD59789813c7b351abcd4b4cc4821874f82
SHA13c3839cb1e6fcbd66f3c6dfc092f3aa49c057c03
SHA256899961eb96b3c34c8a0b0bed8f6e6d81c5979592af5cc0144590b71e394bf7b2
SHA5129c8dce395a863812d3b050b5068e97301309e46ae0c69f6ee0f8539f3dd453d269bfe4865d4afc6a8518e4b85ac49f8901fc937ca19da27a1e5bd178e3774a76
-
Filesize
260KB
MD5f20a53e001630195c319252cf21efb9f
SHA1b418e843bf1f4e3cc33f873a08434a60f6848c5d
SHA2563a7fd4ca276553e4fb4c50d83f1acf69b1e37e26a7b0ef1be1aabbd144cda585
SHA51294679e12cb4b025767aaf36ff60629eb4e65b5553d650aae01a634666b3d93428038d45404a85c43e95ffda4dcbafbf0c38e6ca64984a431a3498f70b67c1f97
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
7KB
MD54682dc75415b6a14cd11328987326211
SHA1bf45cd50681af45ab4852187227aa2734d5a35a3
SHA2566e40077b20e82ea01f0428d2c5878214fef0f716308de85429e9a34b9a8ce7c3
SHA51247bfcef68411ea9a1a9bfe34b8721b1646efe1cad946244b722024d3e0a4b3d77f41ecf09adaf7a9058a08971a9261c5d6326d89c528af3212192c35f345cb86
-
Filesize
8KB
MD52d13370701b76143a15b4382d261bfa5
SHA138191ad8eddd3b3d6a1c2b34b7964e8cf916768b
SHA2567b1ac7a06df855167a7a4e89d433a56e460fda6c5591b2796e8467b390500fba
SHA5120afb289c6ef85d9fd5ad60abe449d44ec5bcd8342acb49487d2cbde27f9d779aafb96d2c0f886bd3dddd1511451b44a141f6cb571589615e5ef3a64359ab15c7
-
Filesize
12KB
MD505d042493a4e533b24766451152f6003
SHA1a16e1c41a5e5f8818e7583d344fb709df83ab48b
SHA256488812cdb616a0e3a71ba8c405c83fa90c9a61d9afb7d744cf5efdec2a208fa6
SHA5120af29fa9a6519483c18e098fb863a75878ed2dfcfef012b14cbe5edc0fea12a916283e261b8066e617b0aa53926fa6633ea10dbc2b44cdaec8baa9f38299cd04
-
Filesize
588KB
MD55aeea0eb172666665413dd6dc84078ab
SHA1a3e78572df573b65c11922e7250203635d043e54
SHA2569262e136369177ff76fd8d0b3ba3a808a1743a9acf1440dc8d315fcac88e6723
SHA51298e2e29a642725de22e4b63ee7c90023d83ec71230d6646cd255e0589d42ba969e115108558c0d2b17b5feb9bc0e70cd5b138798852f26d27a1feeabe6964d3e
-
Filesize
1.7MB
MD5cc7e9e8c7a0aa10a9100dc64274a9d55
SHA1e4c54df65631efd77f43dd1901f6db08829be073
SHA2569ae40334c10487c471d22b4d57c51aa6b7d91726ea3d5d82b87530b13398214a
SHA512a19cc64a473a4f404503a41008b825da09275cb5767a9f1b099a1f6b18a5c1db9a5621325e1e0539f52ed77a0180b62104bafceb6676b60f70cd4228cc467c5a
-
Filesize
659KB
MD5ef89944383ea5a86f7f1e5c0ad458440
SHA17ed4e7ee386ca503e849bb6fa96bb4d43a3017b6
SHA256e8ede02f5eef8cb943ed062410297366a6cda1fabb8ecf306908d88837a14f92
SHA512ff5b5cc2c412c641d036cdb8b8f4de9a7b41a42a76a6fcb485728c0b3eca97094c810675ec44dec91516c477569ebd331e8615806f687e78f8118dcee2cfb30b
-
Filesize
1.2MB
MD5e0e74b251a7bf94538d8149b94370d7f
SHA10cb59bb15512b276b55e699612a7e6388d242fd9
SHA256ac8472d9a7fcd77a6410da49887ef5c24a6e98fbf372eb49bece3b2003017548
SHA512a71e6ef9d22679caa7efd0911c381e1c97808fd0d843ae3d57b3e063beec7cf3f07f691aaec71597c5f5101edcbbfe1f1500ee0349834a9144355433ccb76ef3
-
Filesize
578KB
MD5bd3cf843fa182b89b03835473dbacf2f
SHA1062d41f93deb0a7286223b943f11de54de219559
SHA2560266593cc9bb78172dc7bb1a7bd2bed872bcfdb99ad4f317c5b7b82f138de8c1
SHA5122db662b2296a0304892e7798f5a028f1b7f997b06c6fdf5c175e79b1b6e247e5ad74ce32802bedfbcd214db9370686c28cf5cbbb2c99ef7d0175f9f735a1bfe7
-
Filesize
940KB
MD529afab90b6cfda0f0bc8fed99aa255d4
SHA177dca93343b6edd499bd4d92e7ed1724edd48051
SHA2562522fb212315877a66bb7b5d6d65350a68178af6ee746c1f2fab01bc564a065b
SHA51281efb2003ca71723b1b40b937465b93f99b8f7a14b5870c42531136abfe121326709a89956fb0c0de5a745fe4f9272a95657d6a5f9f9678db6cd52ae26dd58bd
-
Filesize
671KB
MD57b3bbcf6657705a1d57a9b4a8d305061
SHA1698a9fba7328545363facc481fe7f40693ef2027
SHA256b810a826e21e020db043fe8f604aa7251bd1697bf0a98158b6bd5349c5eff1dd
SHA512430dd2c29b32f48546e03178322d05054aa7de24aa9cf39c45ea0277ee5e2af240baf37aa12c1637d05e55f1a814a6c06613ae16d72be2527eb2db2b496717cb
-
Filesize
1.4MB
MD50977c86cfb581796bf7da9cc93ff2d8e
SHA1328f59516660158a34eba965d060f020068b9c4b
SHA2566885f884d2cd8d96c4b971b967efd6b26ea7b115839ab23979939727bfcf0fd4
SHA512a7698e4cac52f1516a1cf490cf3f5b24c5cef63b7d3a0ad592325795b41751499090da00e00ab1ccb251e1298205c3abe066881cb10f0d45ab224a7f8d6699a0
-
Filesize
1.8MB
MD50b74c5b6fa39516517cf388ac792b197
SHA1b6c810f5bb3fb0e3ce56f2cb0acdd032f82f7315
SHA256cd65aa4eb3d1971f90da893568be7dedddbec9d02824c24db0bb371b59aa50dd
SHA512d67e9590c9e6b316f7a3ef0129442fcdd5b9d3915e2f2833c9a7fae1ad3e8ca45a385c132d3f94072191e69812dd5ff2db58872a825ee27ec5e57e38030bc3ec
-
Filesize
1.4MB
MD500a4b39c1404d745dc9789c9029e6487
SHA174341fc1fde6f2fd4957e8bfda67aa9a45350966
SHA256be2aa488e3e71f70cd2e13097d1003f0a6a3435db1c1c6887d524fae845c6684
SHA512277354beddb698e64677a3bd083522f4365a7d9a6aacb75ffcd18d7ad691d49056bad8f48fb17a4204b59927103366d3f60b8ad9b47ef3235f15bbad885c66c4
-
Filesize
885KB
MD5a399ba72bdf477aa4ad828b5a3a6bc14
SHA15cd566c5929ff455209e4a648b88d188b9285d38
SHA256d9fc2f960e2e7af89a0c1d297321f296619816b3647fe429e8dec654d2e08d44
SHA512306b73ed791bf98d200dd7a7f5cd85aa22a4d6a16c51cf4ecfe898a24a35c62b9a0061dfa3632cdaa596d6d1a81986679589d83fbd28d271f74d13de67f30d93
-
Filesize
2.0MB
MD5be63f194adefea8c0241ab82eebab2fc
SHA12918d0311e14aa9147be7020c426dac46c4068d3
SHA2569694aeccce895943da4798e81dd2a23cabb368a42dc0a5389e8ebc47afdf0f46
SHA512b120123f29ad18ebc34725dd327ee582e2d42ece2aad018a7f840bbba1cff4346889b09d3007c89d8100bea646042feffe972e23f65e18fc1592adfe5d0e6c40
-
Filesize
661KB
MD5ce6dd57db93ba299aff739bb0961e0b8
SHA11013bdedd7a2bb3066286eb1d0f9ff82f7fd6a8d
SHA25620ae1187bc7d31b649c2d57e9cbb5ef84785bd6ca0f371ff2c28cff7f17ad9fe
SHA5126e58409783b3fbb2403d63cd8055dd135c685f2e6a5ddb17f9117297a9a550fc4fdf73c72467fb9b550bbce39dc5a522741fb57f67675d438ca3fcad6faab02c
-
Filesize
712KB
MD58e056ff41c689842de8d5e5ed3345f13
SHA193e85617044a87684cc33bb7444512c4de842dd9
SHA2561a3248a4fa67acca4dbdfe185f135072b8c75d4cef4a22b9ef09e3d444533ca1
SHA5122fd5dbdf16dfb7c82e61d0d64836ce43c947fc097e7d2bc74917e972a4cf08732235e20a4809fea0cb5f13106171039531986e026b8ad330c29350582d576536
-
Filesize
584KB
MD505f05f3e7e4afe81cc8416b3cdf28594
SHA1772745310448ad916fed850a5aa4a71a066d72bc
SHA2566d1f0687ad7a812d89e1c7845ee1729a34f1383076a13e443df0974910ae8ae6
SHA51295b22415d722ad04127caa70a5b5bff2771d550fe54026bfe7207ae54477d9c774336b18efce19971a588c04daaf59f7af90be0b3177bd6166f38eb96ca5c4ee
-
Filesize
1.3MB
MD54b99303352c9005d11c7b52efe925787
SHA1cc1b41c2f32c4e5cd1fab10fdb828337579655bd
SHA256d7438c40c9f07e8b561641191bbf07989c4c72b148ac590f7ea89701b8d1907b
SHA512b891df07db85a21ad23df4758c10276761d42f55c57a7c46ed0f7b07597344ce94c4536ef70e981b05ee161927d06d70baa12606c7d510df5f0afe4055d83024
-
Filesize
772KB
MD5cc2c95f7215b61dcf27f6156a076d0e8
SHA12772138efdcec8a54281d9367bde49efc3d4ca32
SHA256b14fcfa90f990fb4ebcd5f1084afec401effe5aad41212682d6bdc7f40d8f13e
SHA512ea0755d23897ba35db8b226fba9545a34a28ab02eb06774297a47c5a0a6e3060fdaefeb589d6d2fec42b31602ae30127cef96fed86c54058bc6d0ed17980d2a8
-
Filesize
2.1MB
MD5f7725d77d2b623e46f736b26ecbe6473
SHA1a692a0815586849f46f33d813c0d2aacb41452e4
SHA256b0616e2f9af58b273f3488a96658bb017556dda9ce3c61e123f4e7612b2bfe42
SHA512ed2f6752ba416adf721576a0c47f74c7fc7c9002905aab5ebac3951097224c725c28a4949d34148d3cac466ef9a711f1a4d3c82ed3fcefae3cba84009b84561a
-
Filesize
40B
MD5a57e00e7b64144dba402c6db0f7ad149
SHA151a33fa8f038784838ba3a6c0fd16cfccf49de55
SHA25626345f4eaae9348eb9da6a4c6101dc723a2cd58c0f15d93f5c1ee628b6957fd2
SHA512a9d626fbae4b1da4d41e75520ebb2eee98cd2a4b9dfdf5f264e574b61f1acbf34c0bca6b1d3e1212ce37c8935a50817c47539b03030e1665a7dcc3a18dffa739
-
Filesize
1.3MB
MD53c9ffcc4703fd8e228384991555874a6
SHA19dab5687636b778a0ba744fdd454fb1b83848d84
SHA2565efcacc19255e18d26d854304686bc215fa019f61160f9fc876e5cee9033c8ad
SHA512da32b137102ca08abc965adced04d41975961ddc946fa9f4474246ce73b531c5b9ee7425eaa7cc825e9f28e1db6d3eefa6c297c3abd89596fd011ff44bc84545
-
Filesize
877KB
MD5039b42da581968c25f573ea9d66f2748
SHA1af896c8897b013d70f652e667305c56ef9596ecb
SHA256c280213a17229c98e1024808538070d7afa46b99dd1d0507d7e12802e0c8ace6
SHA512a7e60f213c9dd9293cf0e8fe054946aaea4c587b14f65ab3cea868304b004222fc7092b46bf597e920494a96d7ef8ab98381bece3552a32ba9d2601c66d0accc
-
Filesize
635KB
MD56361d0973b09fa8bec96b3384b176f03
SHA18a2908fc6f6dd3f36364d221560b17b1ba667d29
SHA2564a39586ecca00882e59061f20b38fccbe809d9854e39e521493e24c514487956
SHA51269d4cba974fe2eb11b9b3675a10ec185999f8cfe68a7ab19eb44bd6ead7abc1fc8fb68a53b29a1f940452ea02368b346870ed4f6245d4447208c48373a865863
-
Filesize
5.6MB
MD5bf63f3667f1306e6300a218197b469d0
SHA1e497b7e74e333d542b435f1fafa4f0f1a14bbfa5
SHA25657f8ab4ce137968eeff6c40d96420fc2dd83280c2203492c8021689cd51e4815
SHA51270f99997046b60e203fe683f73fdff79c67f4bad1c7e1872f8e822f86da6a19ecd0aba510b3f2baf5656c7ed93742d83f7d8eb5a128655f7592a392a9a542a6b