Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 13:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe
-
Size
5.5MB
-
MD5
0d558fdac6b405f59ed1d9e486fa6515
-
SHA1
b93ee79a8f3d2570d8097499919fe1fd86ca04e1
-
SHA256
9dd6dd5331697a53f7f9f104ec124f52e250a995f5fa08712ac84f6553f2ecac
-
SHA512
307f31eb037f89849136ddc753d8caf9b198e9253768b21806c79ff2ad82b65ddde806ee878b27f695dc1b7c2c1a74024627713f10e983a5f81e61de0cafde22
-
SSDEEP
49152:WEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf7:sAI5pAdVJn9tbnR1VgBVmxnlS
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2976 alg.exe 3220 DiagnosticsHub.StandardCollector.Service.exe 3620 fxssvc.exe 2392 elevation_service.exe 4500 elevation_service.exe 2004 maintenanceservice.exe 4756 msdtc.exe 2084 OSE.EXE 1336 PerceptionSimulationService.exe 2948 perfhost.exe 4896 locator.exe 3248 SensorDataService.exe 3536 snmptrap.exe 920 spectrum.exe 1004 ssh-agent.exe 5268 TieringEngineService.exe 5380 AgentService.exe 5536 vds.exe 5780 vssvc.exe 5976 wbengine.exe 6080 WmiApSrv.exe 5132 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\46779a4f46f975ab.bin alg.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79656\java.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012c653164d8bda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003266b9174d8bda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000271281164d8bda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b897e7164d8bda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a16351164d8bda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e3988164d8bda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000514536174d8bda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 3628 chrome.exe 3628 chrome.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 5060 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 3772 chrome.exe 3772 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3628 chrome.exe 3628 chrome.exe 3628 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2140 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe Token: SeShutdownPrivilege 3628 chrome.exe Token: SeCreatePagefilePrivilege 3628 chrome.exe Token: SeAuditPrivilege 3620 fxssvc.exe Token: SeShutdownPrivilege 3628 chrome.exe Token: SeCreatePagefilePrivilege 3628 chrome.exe Token: SeShutdownPrivilege 3628 chrome.exe Token: SeCreatePagefilePrivilege 3628 chrome.exe Token: SeShutdownPrivilege 3628 chrome.exe Token: SeCreatePagefilePrivilege 3628 chrome.exe Token: SeRestorePrivilege 5268 TieringEngineService.exe Token: SeManageVolumePrivilege 5268 TieringEngineService.exe Token: SeShutdownPrivilege 3628 chrome.exe Token: SeCreatePagefilePrivilege 3628 chrome.exe Token: SeAssignPrimaryTokenPrivilege 5380 AgentService.exe Token: SeBackupPrivilege 5780 vssvc.exe Token: SeRestorePrivilege 5780 vssvc.exe Token: SeAuditPrivilege 5780 vssvc.exe Token: SeShutdownPrivilege 3628 chrome.exe Token: SeCreatePagefilePrivilege 3628 chrome.exe Token: SeBackupPrivilege 5976 wbengine.exe Token: SeRestorePrivilege 5976 wbengine.exe Token: SeSecurityPrivilege 5976 wbengine.exe Token: SeShutdownPrivilege 3628 chrome.exe Token: SeCreatePagefilePrivilege 3628 chrome.exe Token: 33 5132 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5132 SearchIndexer.exe Token: SeShutdownPrivilege 3628 chrome.exe Token: SeCreatePagefilePrivilege 3628 chrome.exe Token: SeShutdownPrivilege 3628 chrome.exe Token: SeCreatePagefilePrivilege 3628 chrome.exe Token: SeShutdownPrivilege 3628 chrome.exe Token: SeCreatePagefilePrivilege 3628 chrome.exe Token: SeShutdownPrivilege 3628 chrome.exe Token: SeCreatePagefilePrivilege 3628 chrome.exe Token: SeShutdownPrivilege 3628 chrome.exe Token: SeCreatePagefilePrivilege 3628 chrome.exe Token: SeShutdownPrivilege 3628 chrome.exe Token: SeCreatePagefilePrivilege 3628 chrome.exe Token: SeShutdownPrivilege 3628 chrome.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3628 chrome.exe 3628 chrome.exe 3628 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2140 wrote to memory of 5060 2140 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 86 PID 2140 wrote to memory of 5060 2140 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 86 PID 2140 wrote to memory of 3628 2140 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 88 PID 2140 wrote to memory of 3628 2140 2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe 88 PID 3628 wrote to memory of 4228 3628 chrome.exe 89 PID 3628 wrote to memory of 4228 3628 chrome.exe 89 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 3044 3628 chrome.exe 92 PID 3628 wrote to memory of 1828 3628 chrome.exe 93 PID 3628 wrote to memory of 1828 3628 chrome.exe 93 PID 3628 wrote to memory of 3612 3628 chrome.exe 94 PID 3628 wrote to memory of 3612 3628 chrome.exe 94 PID 3628 wrote to memory of 3612 3628 chrome.exe 94 PID 3628 wrote to memory of 3612 3628 chrome.exe 94 PID 3628 wrote to memory of 3612 3628 chrome.exe 94 PID 3628 wrote to memory of 3612 3628 chrome.exe 94 PID 3628 wrote to memory of 3612 3628 chrome.exe 94 PID 3628 wrote to memory of 3612 3628 chrome.exe 94 PID 3628 wrote to memory of 3612 3628 chrome.exe 94 PID 3628 wrote to memory of 3612 3628 chrome.exe 94 PID 3628 wrote to memory of 3612 3628 chrome.exe 94 PID 3628 wrote to memory of 3612 3628 chrome.exe 94 PID 3628 wrote to memory of 3612 3628 chrome.exe 94 PID 3628 wrote to memory of 3612 3628 chrome.exe 94 PID 3628 wrote to memory of 3612 3628 chrome.exe 94 PID 3628 wrote to memory of 3612 3628 chrome.exe 94 PID 3628 wrote to memory of 3612 3628 chrome.exe 94 PID 3628 wrote to memory of 3612 3628 chrome.exe 94 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-04-10_0d558fdac6b405f59ed1d9e486fa6515_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e8,0x2ec,0x2ac,0x2a0,0x2a4,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd06d29758,0x7ffd06d29768,0x7ffd06d297783⤵PID:4228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:23⤵PID:3044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:83⤵PID:1828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:83⤵PID:3612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2880 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:13⤵PID:4648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2908 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:13⤵PID:3104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4644 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:13⤵PID:4088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:83⤵PID:4524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4824 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:83⤵PID:3312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:83⤵PID:4676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5252 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:83⤵PID:5116
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:1596
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff77eae7688,0x7ff77eae7698,0x7ff77eae76a84⤵PID:5628
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵PID:5692
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff77eae7688,0x7ff77eae7698,0x7ff77eae76a85⤵PID:5728
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:83⤵PID:5400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2440 --field-trial-handle=1884,i,12902712342938712336,3908004407744542040,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3772
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2976
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3220
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4192
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3300
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3620
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2392
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4500
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2004
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4756
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2084
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1336
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2948
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4896
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3248
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3536
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:920
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5160
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5268
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5380
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5536
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5780
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5976
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:6080
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5132 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4116
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:5156
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD56faf1846b1db09cee55b57cf1c28df07
SHA188f5da07d6a752558cd1522c74f7f57e39a09f46
SHA256a435d159345141f878d8ea37a9d8b8195ea46cc21375f0c429fc34fd9b83f090
SHA5120855c71d9951e1b1aec0779b26b1cb88dd03eba0f3cbdac398abc98d6955f6c616d431e869a5de4944becc3d529394508a5f35de3375ea4d14b8e631dbc8bb97
-
Filesize
781KB
MD5334b4b30ba5f02a9f28931157dfc953b
SHA172e1a8534ddbd58e0eab6dc5071e1d8a1f5e965f
SHA2563fba7902f651fa149c6d399d82c1097c06e6a61c81056899f0e1610808332854
SHA51297a48f89d69158dfd79786e7e4f62165003e1371331ce27e0064d41f9ddb9b5a4666786b3e58423ff5802a94c9f958c89aba3434bd4fbe2a2e16324c7f661b4e
-
Filesize
1.1MB
MD5e91650cb89436127dad10b3920a97166
SHA13f5c2ad689c4176fed2bddcc4208b7ff7f1f13fe
SHA256b715fb7a889df35be1daf59e2b97f592124dabc73fb2d882d4393ed4db209e1c
SHA51201e0628e70b079126151c39ddbb515d12c632cb1cd14188addd81a0c33d5227aa7ceed5acb914d42253d34e0bb6d33dac7037b40f10c9535dbeb4af20bb9cebf
-
Filesize
1.5MB
MD59ab8b7dcbcc8db2d402998d1d7da3f9e
SHA1310fda6c651ea0b0e6dcb40344164ed45e0506f6
SHA25640b072cfd02b156db38af1b0098744c1917b07a48c938985e4032f8df73c49c6
SHA5124196c9f59d7e0cd0e59fb127711f3632531ea7c1f86b1d3c50d5341917da28c91ec71a5982fc5f4f56581b965b114675cef9ad7a74052b2224bd834521440e6f
-
Filesize
1.2MB
MD5e5eef44d81acd9cf892a6840eb414ee2
SHA11a4cc92d73cbfa9788bbd712ad84b71413171f34
SHA256d38280fe749aa2ff2ea4b770fb93d947a04ef7b96e03f9d5afa4a3ce4dd35282
SHA512e8a0085b06bc0d0555c1f612f8b5d685654de697f8bb1cc32b67960f7a31bbbe6a214b996772660157d968922c5aa6f3c1608638aa474b141e9fdb86a5354ee3
-
Filesize
582KB
MD5beff7a59dca7fb7e2e0c0101d458676c
SHA1d9c4a8cfe5c4b63c1abc8f8971ed94aec194918c
SHA2565aad71e9f6247b1303661817d40ec33b808ea24591b9185ea13bdfdcac400a69
SHA51240d9b0033290dc2b87c97a1d5a7f98a8f4935e1b38d01b3188f48a3f29b853ffc2698947bdf7458965c58a8f7ea64a8a81a1217264ba900ccf67dbc37804c8e6
-
Filesize
840KB
MD5c5119d93a49057b0561bf051200b8ddb
SHA1f24e367014ccdbbe946eac7e65cca01925aa7e35
SHA256220fb79bf9c38a8c4610d06411c77ff1d3217d60ebd5dfc6e8812bc94ea9a95c
SHA51282719a0a5f5b9ef43cd74ff910c0345385f52e9456bd7417d7b76b7c5396393d7f453867c126d35eddff1aed36e6a64e42d22403c3e0fdcefefdae91111c60e0
-
Filesize
4.6MB
MD590f9277eef1badbd4cbc17f643b33c42
SHA133d809d98819aa7e1679ec0ca2c44a862b17c1a4
SHA256d8731e62fa81edbc3e7d938667207cca1bd2a5cf1f968aa57d2e3f3b0e20e31a
SHA512c0c53b86434624513a3397671a83d3d2585ca179f0da1e429067240e510ac757c7151da0e91c0b72646c54481e658d8cfed1fffef53f80cddc90ea948d3b6682
-
Filesize
910KB
MD59f5dfdbe099f0c70bc1a6bdcdf46e40a
SHA18255cb07971a01f59bab125e0305ba82479c7fef
SHA256da8dca5f5e76e2545340319db07869295005a54eddc2487232c1d4444ac758ac
SHA5126764a08d873c8ceefd273a5a3ebc6af97dd8bae0792e69d46714ac1a560e93544b5ddbf705936388fe27102a845664a198e535dc800912b3e295886ecaafac5d
-
Filesize
24.0MB
MD5d07841b88d9ee04e144560e5fcd6c54c
SHA1eb7f615179ba1407841fca407b0c5c8ac3d1f1c7
SHA2560e95d6107ec9004e052dab26b8e52ff4ca8517b3f2eff8eb0bba186a60189250
SHA5128c5f2d77a6d1d14ad1869e65d66c4ec85ffd72771ac3452cd1ed3337c34a085a618f3eaf39e4aca22d9201f4a5335f77c10caefa2eec9ba4f1f83e957ecb6ab0
-
Filesize
2.7MB
MD5ded31d7df383107d8f9e255fbad01448
SHA108feb1410839b6d3db06d8bfbab34f51b1c38f48
SHA256294e5ef9c98589dbd6cc007ef88d48c519efde2f0079bb48c708219e581fa05e
SHA51252cfbb74de19f844c35b55c910597cdafcd31df80482eaab3c3779444de93ab22cb43080747640d82c2161fd9737c32ff6fcc3b88f27c20a23d2fcff775ab783
-
Filesize
1.1MB
MD5a59bcc71cc2585639a00c5ea62d29e13
SHA157d22f0dbc2000afcb308b30e9059bad7c93a03b
SHA25625c1d5e4fb9928edfcaccee2f7b566f8d520c4a5aa3ac0f2dbd222f606152f84
SHA512054a7bd094143376a3d077ac40dffdd0b60303ea6c2003534271241dd27349a56452a6312bbffcd5fac2206995cb20104e76caf8fd935b7637c7da8fa0385003
-
Filesize
805KB
MD543d5af3d31856c403e25316bbcb06507
SHA153f3657bc99288a84844e9d25b3603a8fd4aff55
SHA256f49de82836fde792d0b780c0c9fc23dde052d3699b960ffe4fb751a72fe78b48
SHA51215bbc63c518f10f9ca5701f34fcbdb4796d0e0970a78f118039f63fc94dc074151c9cfd323113476fce417baf64d3e40ff0f14624127d4860bab35d5c6e17548
-
Filesize
656KB
MD59a1b6495104045a3e788571d37bbc2fa
SHA180ea6abffc02e224b18d44d3dbcdd1fe8c3f07d2
SHA25621d69f7f69b6290f57bda4e849d5583ff967f8986bcdae209dd36a7d9d8d8224
SHA51263452e9823b528855550c52c82ff90929040ac40c9dd09abb89c506670d8d79a150c3e2714e7c31e4839de1cb636a3e7ad825189116c9ac2035c129724b636c3
-
Filesize
4.8MB
MD51f5a6d3236504fae72ccf837e9eb459d
SHA12056a2b157db11364509a8131872f5ab5b8637e5
SHA25693f0441f31c45a48f91ff4733c624039d268dc4c79578e2083ba6b0275378287
SHA512d0b87d2983d811fe7df787cb6abbccf0cfb53c9d26ec0d4da4770a0fd0fd4a1eb1d04aa20df45c783354f938c4522e7a64fd9d02d811c592828acf53e7a6fcf4
-
Filesize
2.2MB
MD5437df2479bc074555271c5d3f5bba26a
SHA1c7681329ce21bd6156d8155eefff2946d23e6904
SHA256f843567439c13095d33f475ca0ca27f0e9181339a192a89b71b413f86c84ef1a
SHA51242d2ff9a4523b58fb14d21555ec2ad0fbcaab818822bf0941cb0ee5ae0c7f491861162da8d39300bd5a6c5be59a69a1892d3a7e2f6c4dff82ace908ee31e4b9e
-
Filesize
2.1MB
MD550c441492940d13b7914099343ca4216
SHA10312282ec2b7de308adc30b55a0e2793498c1704
SHA256b58f76284c10aa7b05a81468f58ed4c28c9dddc79e6f86d49cb423954136a647
SHA51264a10b4a3082b63c247424a92f65ae97129f87469f9b4b9b1e7ca36de6b23bcda5652181da1fcde1dea723350995ef1020c1bdc69463e4d2bee774f96b6d8a1a
-
Filesize
1.8MB
MD5ba3dd89dcb302975ddb753f301fcf75b
SHA1b439cddfae2696df41ae52bb6f66b61e568311ef
SHA256d88f214533e9afda92b9e7f90ae9108be6e4e206d80f10608d6df8d6043b7a34
SHA512de95e56ea084bcf8edd7dbe1c5ceddc7c7051805ebedf650f7ec4f7071fc0e0d1a3792c728ca08e2606587b8c7463020a657b0d16ed498c510fad2be1539e59b
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD52461b72b918841a4e825414f6e682ad5
SHA1a56dda68182e9bdc930dfc04ac288791c43867ac
SHA256a1bf1f4fa8f54326b30cb57d04187018c151645b254eee752346d616f2bd9d1d
SHA51260cdf6b3d19da4e297d2d8f2569e7f77c9db281a3fb2487a511670514df8e2b1a1fdf03d08e6156ae755307c432a0c146beb02f8eda9317092b1f4865f4b4bb1
-
Filesize
696KB
MD53c00153d050ed44227f7a27fc11d2eaa
SHA15addd514aedbab772f2b61177f1baad4b73f2fa7
SHA256550a41558839139a8a70d1358408946ca379cb9aa9ce4fa17d8872409b04f1ae
SHA51290e5814a96fd7eefcc0b14db253babc57316b4270c3b6ec01183d91ddb3029caa2dff06f539b03fbbc061c0f2fd3dd7f2ed72a500805aa755ed55064cbf71aaf
-
Filesize
40B
MD51a7cdcf21794595155d9daf1ec65d8da
SHA140352477e8e67dcd08926c4d5904886a59ca052d
SHA256ce57ea98de4e5bc14ef94248254970c775ec2c2e1105acf460333f725b3366f3
SHA5123e1c27fc5dd19282fbaec773dd87077fe1749a450b2ee15bf001548751cc6293025e3454482706126131febb642021ae655350bbe8d43c5cd057b73708241895
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD5a59a661c519497289d86eaaa6d961e96
SHA1a0b91cc52cef1118e28fe113756d1658fb6c8b84
SHA256f3e9bc1c8cf1b908e319233f5c0ebb0b2c78c86d57965634f4046c808807d06e
SHA512aee40ec822e8117ca1d05e46695b7accbe3d14b357f2696607c6d5f19c783fef50b7ee2d068f1cdd9279b2ba932af587ad8aafc1c0972625a9b6cb3ceeef8a8d
-
Filesize
371B
MD5ae8af98b1f887dc658cd213ecfa0cbfd
SHA1f37dd8fc6171b1c43a8b3cf8db08cb1a2853a92f
SHA256da550ad5e842413076592c6d5da280a6f8a81ed06b26ae644f6330470ba7152f
SHA512daed3ec46a58d960542e55e58911b087d221636e0efe87aa22c3375d382d58b87de7438077d3e18acb7836ba501ebff82b78bdec4e8e80d300df6507a6766793
-
Filesize
5KB
MD5b34393a88d44cb10463fedb998808751
SHA1c70412743fc45534f0b902ac6568e9a056df6391
SHA256eb36a2b4cb1ca50637732b4a50e7f01bfb987bc864bb7c7bbc373e9cac04e056
SHA512c99367eaf8b2507676d535440dc235a6c3e37d07ee6cf60cfec4d97ba3665e5916d0e266a34e9f7d8d59f4b1d10dcb85d80ce05258f8b9025731834a1a2bb152
-
Filesize
4KB
MD51d3834d92c4be1255c021375bc6bc13b
SHA166dcb250d4b9633740597adf19a0202e8f456560
SHA2562ce2ae0e559665992973a805445432b7d43a0ca473f1d922e9bd84ada958f2ca
SHA512ca66df261fbb078416152e8c828a323927c1a14e30e4c883aa63b92b3b08d7fe003713c5b53ec9caf51ecb8684fe4b7808a53dd146f0a2238f8bcfdb88b43749
-
Filesize
4KB
MD5001b68c6a577e6f9457339bdea84ab66
SHA1972cf1248975ab2a0f7ac5276afea479cec26f97
SHA25622967cb9831741d097770405a663f387260040e9b42a3a6d814b9b8e1541ac5b
SHA5123e580d24bba4c35391a960f75ee4f533394b9539152c15291a1132667e7378201a42e2c3b952b007d65f0a6913142948d5eefca2ab2f0406606eda66557fd886
-
Filesize
2KB
MD5f17dd383c8676e8278df4555e1f52807
SHA1c05d24e34597ab70955806f2cc8333fc8268f6b8
SHA2565cce19535dbda5de3a87b5853ef092e281c10b1ac94a8103adeedbebb269de8f
SHA512a6bca5bffcdef4b078f4807da14acf8dbb286fe1d71e591f59c7cdea0eec5ff7f4ed9eda8a55127e1e8e12c990f74b08e243fdff9796b525965a5c6e3328f116
-
Filesize
15KB
MD56e7e52dbed4926a1473365d8fa1f670e
SHA1d483214982814dc607c05dfebe07b4773834f0bf
SHA256acbf3d459804a910c1fbd43c87bf91fe12b3c647080a64294ec9e6055c9907db
SHA51245f1505697201b778421790aaa533078fe7e978749fa1c5b70b39ec696841690179203c33bd1dacfb5318a5476d08715e46a88631baf6d009c081d907ac7ca61
-
Filesize
260KB
MD5cd219d030cd9dfcd09cc44174c38bc8c
SHA1ad0a5c5fdb5dc4347e63bcc07cdbc2020de28a1a
SHA2565503133aa398883f4f7401a7e664ef913793854c70a8df27f2feab0d84f196b8
SHA5126b1731540c2dad35b9a965e9326fcbf09258538ac8609e5610d8a3afc48c8822c60b7e9ed06c23de4e31ce6d75285f548f16dc0e78b5893dc2b2bd55ba8acf80
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
7KB
MD5f1f28c768e9ff58bfd58902a18a13fbc
SHA18b25d2af3f011964358012dfa20464b5c4715ff4
SHA2562e8c1f29484e5099a6dc37907f09e2421564f3d8cba841fcecd3e84aae2b251d
SHA5127fcfaefef869eb2d0e4948f985bee46ef362c798b5071e90fd4e784580d8d4dc4e05e1793205c51a3f51222cdb231595e620bdb0974a3f01f3a30406239b0d01
-
Filesize
8KB
MD5515e7f7bfe65e6cc8b1283d6ed5e9251
SHA10d35b3f5eb82650592815f5156730631c6db30ff
SHA2568edce0208c539224bf027ae779e38090d3360b5474696b88afd078e86409e7d2
SHA5123a194de1220016a85ebecb91b96e45a08c2c0a74cafbf42bce207a788b09c2b58984542b7f6d5da74d909fa30d551c1883a40c3a8a6537eda67a22c9b6c278a4
-
Filesize
12KB
MD5f9b6eaf415435d89da3666c02efd1adc
SHA1aeac2e60b4edd7024b58920a88b85d63abd98f71
SHA25645b0ad070eb87de4e5043dde2203a23b674ac4a3d1ce991c7c8cfec84506b7a7
SHA5128fccafb426dd806d5c85d9d7c77a5c2aeff0f7e34de8a0b3ce20873c40c86c8872ee7d74fa8208caa853f584c2821bc05e9d3b61116ffa17e99c4d52cb779cc7
-
Filesize
588KB
MD5f00e8d932291a322aeeca557528df83e
SHA1c125a3b2b0caa2fbf145f15a59ab42e3d5657608
SHA2567548cad61af45f2e7083ec10dd8d46467236bb662941ecf411e3c82b04ddfad0
SHA5120754c2ce4514c529c76e3452f3a36b2f1aae213281d642c8517ecee7c56bc102a7c7f8f0e36a7f353f7149d52317650a62c0db2896d5c1884c4a0cffe8db585f
-
Filesize
1.7MB
MD5ffeced640a85b26aaa969dfa9b9ce8fa
SHA1a7a0c1c8deb6c2ae0053531ca289fcce109966da
SHA256cf98c8a96abb2ed2efa9109c65f4d4f02677a0e0cbbf15ac79e80c90be639f11
SHA512c67cef447b1f1c3f53eb16e95bf76b902b862040f015671ad1d6445db9646a65329336607523bba1a411032f57451708569ff5dd8059cb1e3650608e76526248
-
Filesize
659KB
MD541812709c2c4295f26473f0ac235bd64
SHA14a78542854ecad065ba480118904169d45325438
SHA25605a9c8528c71c5f4ff96fb3801e6860639491c5ca32a460e0229df354c8684b6
SHA512d6fc2aa35a342cde6e0d0be76d5c77cae6ec19ca090d2bb290cf3dbe18051f33d2964f44e843d407c0981d55878fb8ff370d305f60d845c57e50dd23e612f8cb
-
Filesize
1.2MB
MD5aa98fda0738403046f86a8b67fe713d3
SHA1796cee8a74ce9d2a753b3931e5b3f046d0ad3317
SHA2568e3950dac2a9d8660f4d09360ef3125ee0c370cac5858bdd38b8a7bedd8fae08
SHA512870cdea1d25c6f05ba8a68c98014a6a867279bdf2944a3d7194a2415c40f94fca270ce6701a3e6ad2ff27f2fc2c760b35486df504ceed06b545ddc56a5115974
-
Filesize
578KB
MD575f2a75c7f0449bb34a2796c14721c94
SHA17cac4394a2482acac8c9cdb01e61fb8857f66c0a
SHA25691793ae341e720ab795051cb46c129270e38ec618593dfe213b3b165be4fdd76
SHA5128e167a9bfba25b2f4c9f6a2976b6010997080b9e5da3967dad5aa100bfca2a8d726e1f10450d036e51b3c4c65a4cbb9ad92a69fc58782d4034e7b31a622d7567
-
Filesize
940KB
MD50830d781ff3f32a348c5a945cbe9941d
SHA1fe654dd005db92bfbad439331f8ea6219d4890fd
SHA25670a11478747b74abeba73b17b4613b8e78140ac7de26e6b00faf43192a2f1916
SHA5122fd7812fcdea268261928a3475aa95db4dda0e32f8fdc7faf3700150593ee22f741e9a734cc3d4032dd13d70a060e782094990084b31f52d4daf9af19a6abbd8
-
Filesize
671KB
MD5d1abfa03919a0c7a892d1c06a3bf098e
SHA1456ca9620e4d559ef7ebe1ef770fda2d9ceaf809
SHA2569f629bc091a6c8a517041aeeabfa5ffa160f2a71ce93b521954ca79d72e6e754
SHA51222edbe3ef05b0ac6435dfcbb53e9195edc884374b6750e546be66f4a56538798389fdc0fd1d36fbe86b2953142013e60bbc0d7ae023be7ca006c9b243014d140
-
Filesize
1.4MB
MD55b9e28407189df95cd42da2af2bea4a1
SHA1599614f4ad45ce540a1bc65dfe33128cab60171e
SHA2567e26e1f61cc0f3f054e14178b92331170b200758cb128d025f8d5a183fdb081c
SHA51220498b2ae12beef066367e4f2eb30e06a7a27ea41a7991aa07768b1622b19a9503394cf6ad2a18e5f1d918ecc48b06255b8cbba59d2699dd567de1b3183b2aa2
-
Filesize
1.8MB
MD5d00ac2069e559ca75682c19ce3d100eb
SHA1d0977df5a2f878eea08523db75fc9c03e76c431a
SHA2564963895613b13be5e612eec1d77f8bb903c95247b1911917638b4f21e50ac675
SHA5125bfe43eeb7b90257365d3b23141416f9bbab7bf4d9a7bed9889d3394f738a148a0f088857bd975844f5e5d9295b01ef5cbc5f896df0498b73cf843df6e0dd976
-
Filesize
1.4MB
MD59b6f413c238dc67d60744ef02871e67b
SHA11f33e64dc17e48636a7aa02c2f5a9aa07d8c26b0
SHA256a91a94ea328c611d415ed80d1e2708ef240398fa7c24383316a00c7f66e9a92e
SHA512ad8a94c6c199829f22204251223c67913379031e7e3f03982bece100d32b21e9342aef87e8beaa5e169129b138d51f36f4c01494697c04aa2f8397536f136bff
-
Filesize
885KB
MD58f6f8f8a958ffe3b0e6c33e1b19982f1
SHA1d1a51e55f5018e6546bcd8c75e84110077354dbc
SHA256a54c75ceb15f6a7553693075036710e2f186d90bc8067c2a4ae39e032fa32f3d
SHA512d7b00b0b9a3706d30cf6a7bb20d827f2197e1eee19bd1e09b2d045e1ef16d1656dd5d0c5769d796e2ae035b1e1f57f44f482ddab698b411738b4f628efa741b2
-
Filesize
2.0MB
MD5b4065fc337acae5fbbcfbb6d5362da62
SHA12fd5626df60f3335b5312fb56e2b1106eee1540f
SHA256b238a9f1b3436937e3401717c66a805c89032058b4f842b83684f16db279e35d
SHA51229e9b25b4600d8b2ed5a326bf96bd2b8769076e5e972ac3427a39fcb22ed4ff2e22ca6dce3706b0c56d49bdb257aaf73103c36c270f98149fc1d307aa3cf6491
-
Filesize
661KB
MD531a2173ab04a52d6270548d5d9612a25
SHA18034a23822a4248f75d37830f2314869816b3a82
SHA25607a8e5a9cee6c41d0d391be3d5df3f1297eb63f1ed55766ef82a8c273aced627
SHA5122185a358688eb33f31aa743df3cfeb545bb9a29259f7f4d2e9a2f736ebfcbe328fd9b39fa0f84b7c203391d73106963ff8ae277684594e55225685c54f2c271a
-
Filesize
712KB
MD5d9810a5ee8f611ba1f8001d6e33daaaa
SHA1b9be110e7fc9d2aa04e3cd51f3048cbc56371b77
SHA2560411667fd27a7d0e2cd9e07aeef41c95e2dbc5db9b6fe4329ef5ef808b2c4680
SHA51291beb7f3435e9d52bf5ebc793a149c78ea42b7bc6d1aca648439903f3d2e448c2923da0772b508ebfaeda44b10d1f6de6dbed3d007eef0f033857cac2fcd68d1
-
Filesize
584KB
MD5798b1c8250fad1de7c0ac22c2d669350
SHA193fcdc0f7185cc28494bc37a3a8ee35ff97c07b0
SHA256e5c5f659ae84582fbd4a6db59d89d3ba71e572bf3fb96e32561cde77f3775c55
SHA512629b95dbfda75f7120f86e5fd56c11d5eb6ed6d93473af9a45aa5ace72c1ae5978814f22bdfeef64f88fb7e264c83799bdc1dfdb18027dabfff641e492d3eb80
-
Filesize
1.3MB
MD53c9ccd6c3b8a769c3a517ecae2264c0c
SHA13cad67b47e266a64135c3493a1a7c36e8e105068
SHA25632c7ce549c51dd75bc3afe991c27c6c0a3cdd6ea64d23137a63eddad15423981
SHA51279f1224afcf031e80836f808c432e8307746c3c0b6a8be7691e9c701d6665cbb52aa78ae75add2c0b5ec7a7db70cad37a83aa0e41d0313cab8f57d14ab13a42d
-
Filesize
772KB
MD5aff079c34d4a7cb2d4f7f4de64d9a828
SHA1681a5a6e7152cf2b96308148fa66c442c0c611df
SHA2569de2680443bfeb6effe37e8193e7c6f890f0cd9d54e8a3afc901d0d77b3cc9ba
SHA5127fc11a0913fee6f0a29c5d42a55d89adf5ebaf3c08ce359809f8ca09a7bab3f35abf09cf3b87c51df5b7dce00f131c2fc889cb974ebf5160687fd382d963420f
-
Filesize
2.1MB
MD536b4af1b73f76d64b45fad8c936e4684
SHA1a8b69ab86016dcb4e59fca1cba1c590ac0810bb2
SHA25627bd6464fce6b3dd5deecffb9966cb93865c6fa612b128b643ca28d6fc379903
SHA51284d53e2f04d21097cb86a21e9d7d8b6b1b130096db43722d753a20ad6912beffe4c05ff989579fd83d42aa23b02d2795c7f55bc576f41a4464cf3918bb4c4743
-
Filesize
40B
MD593639f5ec6435bab142797333d625b68
SHA1f1e8d9462ccde482a58fcdf0825ad2f234d84168
SHA256003bb916b42cd772096ff0306a9ae0c724b6d41fd3a7f1f30508e651973068be
SHA512e7ff808ada00309e48c2b5921ee0d0ce5a1c608889c34352e831633a9913879a236ef20a640949a470c652f96b8ab4a9765c45cd14fbb9da346e4c3af68748b3
-
Filesize
1.3MB
MD54ed91b691fe4098b48734b23cf866bc6
SHA17b1ca23642b80e442c352a5d70bdbc87d87ea38b
SHA256ad242b59a4df2d89e371b90b93db321b733abaa681924101edd14f72f185de15
SHA5122161473912920d1d3252ff31826bf4cd13649ebf91d2436f1e87dce9d70a6b3d19648fbdba630810c1f89e1b5e6a32b0d60fb7d0428eba37f6773e418c5daed5
-
Filesize
877KB
MD5704b40a33e63942bc775a7f472fd06e5
SHA11e17b8d79c5ff43db043daf3e2290f2af37fbdf7
SHA256e4a072e820727536656c0cfaee4ac3b2c34dae1f1417dcbbd4736c63bcd324d4
SHA5129e4514baec91e422601914abfd11572acdbcd439d3d7055bf94f5825621d9856fd35c88fe403d27f7efeb48742d6f646154e477d56809690a232f84f5af7a4cd
-
Filesize
635KB
MD544b51ed80e5b02870c7bcaec94e74ef3
SHA1162d36f2e04f5d4d7dde7000d37d747eacd484f4
SHA2564c7faf0945cdc4f9685fa3f61179438c255e6b66dba80713c7f6b761c6713781
SHA5125a0f8a31a2eb85a0084318f6bd0ecc4616a16bcaf58d3621706142154ba448ef4945c76f0e6676e1e7948d763c041cae6ffd1e070983fee91868f0137a1b8a3d
-
Filesize
5.6MB
MD5b119ec8d2047b41f6bf8eb14688b033c
SHA16a343f89457d0c384731537b54c3b98b7acb8446
SHA256b9dade84141d74520162f4bdc9cb2f2ec910d697e57530a53e52ce924d53f759
SHA5120776973dbcd2b9a229c2654b20e468e856fe97d2a4f4e5aab96624f1a3473a15bc40a2521996b8bd4b526ba48ad573aebaa980b526f3275b8bc91f32354d2600