Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 22:51
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
Resource
win7-20240220-en
General
-
Target
2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
-
Size
5.5MB
-
MD5
9cad1e5895412410cd5a14e97270cfa9
-
SHA1
00ef5357527b3d2fff743fb9d07fef13e131d3a5
-
SHA256
597ef1bd53078b8af9a91e9d509dc01e15b539ff9a875200f5dedaf33628830d
-
SHA512
820db3e170fe6d85155c118c5b7ce395724e5cc2df3326c4b3aa9f14c549fef99de3572ff3bfd723cbdc4994f9847a99ac47145534561fd33bb63534b540dfa0
-
SSDEEP
98304:sAI5pAdVJn9tbnR1VgBVm1RVlbnP9WXW7H6C:sAsCh7XYEHBVH
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 628 alg.exe 1244 DiagnosticsHub.StandardCollector.Service.exe 4136 fxssvc.exe 4036 elevation_service.exe 3392 elevation_service.exe 736 maintenanceservice.exe 1560 msdtc.exe 3812 OSE.EXE 996 PerceptionSimulationService.exe 8 perfhost.exe 4472 locator.exe 4716 SensorDataService.exe 4228 snmptrap.exe 2928 spectrum.exe 3932 ssh-agent.exe 3944 TieringEngineService.exe 1876 AgentService.exe 4436 vds.exe 2832 vssvc.exe 3372 wbengine.exe 1768 WmiApSrv.exe 1596 SearchIndexer.exe 6132 chrmstp.exe 5244 chrmstp.exe 5400 chrmstp.exe 5452 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\locator.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6ea34e6f293b476c.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c10e578c1aa7da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4d17a8c1aa7da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003977f8c1aa7da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133602871368734126" chrome.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000320d768c1aa7da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 2964 chrome.exe 2964 chrome.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 5972 chrome.exe 5972 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 232 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe Token: SeTakeOwnershipPrivilege 4768 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe Token: SeAuditPrivilege 4136 fxssvc.exe Token: SeRestorePrivilege 3944 TieringEngineService.exe Token: SeManageVolumePrivilege 3944 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1876 AgentService.exe Token: SeBackupPrivilege 2832 vssvc.exe Token: SeRestorePrivilege 2832 vssvc.exe Token: SeAuditPrivilege 2832 vssvc.exe Token: SeBackupPrivilege 3372 wbengine.exe Token: SeRestorePrivilege 3372 wbengine.exe Token: SeSecurityPrivilege 3372 wbengine.exe Token: 33 1596 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1596 SearchIndexer.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeCreatePagefilePrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeCreatePagefilePrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeCreatePagefilePrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeCreatePagefilePrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeCreatePagefilePrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeCreatePagefilePrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeCreatePagefilePrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeCreatePagefilePrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeCreatePagefilePrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeCreatePagefilePrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeCreatePagefilePrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeCreatePagefilePrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeCreatePagefilePrivilege 2964 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 5400 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 232 wrote to memory of 4768 232 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 83 PID 232 wrote to memory of 4768 232 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 83 PID 232 wrote to memory of 2964 232 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 84 PID 232 wrote to memory of 2964 232 2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe 84 PID 2964 wrote to memory of 3852 2964 chrome.exe 85 PID 2964 wrote to memory of 3852 2964 chrome.exe 85 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 868 2964 chrome.exe 112 PID 2964 wrote to memory of 760 2964 chrome.exe 113 PID 2964 wrote to memory of 760 2964 chrome.exe 113 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 PID 2964 wrote to memory of 4732 2964 chrome.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Users\Admin\AppData\Local\Temp\2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2dc,0x2a8,0x2e0,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97d54ab58,0x7ff97d54ab68,0x7ff97d54ab783⤵PID:3852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:23⤵PID:868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:83⤵PID:760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2168 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:83⤵PID:4732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:13⤵PID:632
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:13⤵PID:4640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4252 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:13⤵PID:2404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3904 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:83⤵PID:5200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:83⤵PID:5228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4708 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:83⤵PID:5956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:83⤵PID:6020
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:6132 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x268,0x2a0,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5244
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5400 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x274,0x298,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5452
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:83⤵PID:5512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5972
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:628
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1244
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:516
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4136
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4036
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3392
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:736
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1560
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3812
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:996
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:8
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4472
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4716
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4228
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2928
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3932
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1240
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4436
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3372
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1768
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1596 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5740
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5820
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD539ad08864f71741a825e511ba5afa5ee
SHA179cb2ad230f2cbd48b5ae7767483bb8ae7a115e3
SHA256c6fefd8efd1ccdaa3f78fd5fc8c5c9e3081c1dee46cd1a1dcd007f2e3fa5cde2
SHA512deea9cbcb323320fb50b15788057262dcbf2545ede3966c8211da0f1102b58f62efb37ec3781c8d227524bb51b297e49d41f698a509c70ce2c14bd124c48f46d
-
Filesize
1.5MB
MD576f965ea14b25ec0e51277d692b36678
SHA102e835e85293d4d704e2e5236dd245ae686339fa
SHA256de3d7240b6ef73c0fa14ddfd7d86c332547405e983830cc15ab745defbac1f16
SHA5129258533af54e026835670bfa20e4ef0192d2c702e6ec0ae2b932cdc2c6f125c7e284f48c08971c81dab92f155af77dcb927c628591e4835bdff95dd08926d837
-
Filesize
1.8MB
MD5c84733cf28bba3e6b280ed07bdc51890
SHA1d75a864251486f35760bcec9a03c8e21f5ed129d
SHA2564dedc0e7e7a14d1fcc0461bcf6f2f37aa0bebce499e1632bcf7b6e278cece5ff
SHA5129cedcf2f68c991013e4e772146f16e38b19da31fc2fc8dcd37248bfba5c99710ca83292c03ebc091d8d52161727ddb1facf96ae7f6d96101bb5783beffaa0998
-
Filesize
1.5MB
MD55c1785bff37b97f2745d9e06ceb4c45e
SHA1ad067626596c64cb20713aed7c1bc79ae42d4ce1
SHA256fc048dda2e635e6d57637ecfddae067bfe3d50ad3f02f5587526a2c11283bfa4
SHA5128c0ce19570aa0a3c347324d517d0ae67327f8a28090654c1bac059abd8d83152b75f99d041bd90dbf4d867b16d49645290d39a620a8e42329df4dc1359c21b5d
-
Filesize
1.2MB
MD52e9c8d9060f66989776d870c6c28c53c
SHA10c37dd70e9fb25ab0a90bb5eaaba1ef9c9766456
SHA25661788a1978b663c9ae848f4752839e2aeea91d7b7bb79be928e4cc0980fce59d
SHA51205cf4ca139e37e2db993c83dd33902263e647fa16c088c0f98f8f46b2fafb2082c2dbb4cf3178da98440b7adece0bb0cf12af3fb1f54beb20a0ff438dc1ee20f
-
Filesize
1.3MB
MD5de6f2997e8be3496f9d6ef29e2d68d4b
SHA1a1756af8db2e93c5a5d3fa2114c95362bd361751
SHA2569dede9148ef262eeae345f8c8aa44cdb79e40147a419d47d9ca1cb88f9aaa193
SHA51284138fc80af40564b0ceaf607b2e8164d103d4325408df31587d61c6445f0b1889bc8ff027355ef47cb14192b82143470b5f196c105d6a5525aa23c77206406e
-
Filesize
1.5MB
MD57ce14db9cb3f1bcc51742a3a10011146
SHA176c2d1486b9741d99598301a1535a392e5d6cd9e
SHA2560eb74df92a00aface6c3e8d9e0206ec47ebd1e87ffaec875eb23a00ad116bad0
SHA512ee506ba73bc0e2679820d9abfb30cc729bc39f6be342e0017146a3f081e26a6792c8f083dcba8ad910080b6ad1f9d7b4937dd86de1180809bdcb5ef3bbf6f606
-
Filesize
4.6MB
MD5419872da4662d789bae01fc756874162
SHA13017f4917f39c33eec9862bc2d77ae4c5012f193
SHA256a237b58a7d1bc713a8c4152efcbb4a2d3ae97b76879b19349553cdc0a3bf9b96
SHA5120b50ecd3bc09f96f4b5d37b166cb7ad4bc40cb817f6ddc20849527a939c4679c398f2377fc03dd497e88efb721d7e55f8f820b38de42c18f7df47b754e639f16
-
Filesize
1.6MB
MD57ccf3393c5917f4e7f157e7b26ab6f56
SHA13be9d1d0b581caa5b723be13c6d5ba3b4bb7c7df
SHA256331d0b8268d25fe1ead827836b61b28951122545dc02b40e3800103c357d86b4
SHA512d23c8d1567b0eedd8aeecdee1caaf5f419feb5547e6361e7fc23620bc7339fa62173069720484d03ae521b0b86499812bbf58e249e55dd1ba700550d7e192542
-
Filesize
24.0MB
MD5534427bae8815c4fff8982ad6c14ecfe
SHA13ef0c94b1dc2d5e5012a22ac13f332897e70fbe2
SHA25623b87e1a8fe8412b35cb3bb60c442e76bd4f1681f6ae9970866a3c362507d285
SHA512ddf92056707af5300b527d1bfdc914575fcf85ea9d1cedc84f4361302f92284b7465bc6657f31614a0e8eafb2572e7c0c067a55db7db14d6013e4b522b9c445d
-
Filesize
2.7MB
MD5512aae12019c94509a1cbcb3c59a0295
SHA1c6acb7bbc0e03cbadc78c43e69abd9cb5859b95b
SHA256365944d64d73b6c5aba7a5d5ba1f5a3a172c82611a2e6ef40f8cb76154255b31
SHA5125ca0286472fa74abca1c670b54b6d0f9021657873569f0800292a66d2ab22c00800378c31f408090168efc41211f2f8c9cb3559ef4459b76e8b7a1b62c9159dd
-
Filesize
1.1MB
MD50b2347390cb9d7ba8a5fdaa7b28b99e9
SHA123c6b719bd36b7e068349315281c9e6b6da969ca
SHA256d823fa679592e45464b4bb3ba93eb2de014645f4d46ad6d85d574f6da5fafab4
SHA512a41ed7a59f424143353a239fe982f62135c40ffbee95b315f25e58e9ae36f8849786557ade6572d3b4d9516b4afca9f63d1e3e75ec6a507f2ce064e23ca5c7d9
-
Filesize
1.5MB
MD5278cceb9af3cc1acceaaaaba2b105df1
SHA1b939cbcd46a9bf29e2ed4a03ac98175a6c4e01e8
SHA2560b2100d26f2888715035c0afa728978d19c87c33f8f9b8da09490c3f56b3af8d
SHA512440d17d77e1243d390eb3717f689a70227f278681733352a94ea6012ecc59d72d68dc66e1c97318d1c6bf486365d43050fcb983a1706c52e10e3a7e78827c037
-
Filesize
1.3MB
MD5784e89e082fbe4fd2d3eca931b50aca8
SHA13c1250e9f4183e895d682cfbf42fbec7d4738248
SHA256d7074d88ae1ae3efd56500991e28f90c6c7c85448dbcde3c8630a1d1de652cd0
SHA5123f40774dfbbc5a59eed5224e510af77ac35dde54254009e7038bfb8126016134062ff07b084c1c9eef89c5226bfabf1874f6d993b8805f80e163d0606fa7d9e2
-
Filesize
5.4MB
MD5431bf3875ca579a18dd93eeffeb2a222
SHA1208c6d53850b0682cf81700fd3abd6a4eda5746a
SHA2564c605b840309002577daf9a2989cb9f447dd44aea7f71f2c032e2cbb3f3261a2
SHA5128347447b3ead856c5227659496573b864837a118bf33dca8398f1f25a5b799b6ce7c3b1a07e3fe6498accee488e34abde6a6d578869bbe0224b9d03093233ea3
-
Filesize
2.2MB
MD583d83d268d003ee509681699db832ac7
SHA18e3df9325cac75234ad857ac429730091b91ab92
SHA2568b49384612c0e6c55c007767b5017efd276206c24cf02d9c69ce6f6530bb7e7e
SHA51241d9a39ffe2fb8c38c9e6dbeed775ee84210670f6bdeb4c24af8486d784fbf04b24d4a6f9ed93b79943c691a9f9e33506e0c495b84031f9328141ed2bfb236eb
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD5a60a989b0dfe27ae11f71939e0c1f894
SHA1a8f0d4e449ffa272727e2f4c9d7ad564fb2c3f9d
SHA256866a569caae1319fa23acd0a2bebb59b2154e305e7812043134f192bbee72782
SHA512369a04069e83cda45442ec45addcfb59727eebd152ed78f2858f202fa3dd9b630a85652954b9b7b4c3dec21a52913e3e2879486ad176fa5109e4fb56fa71ca73
-
Filesize
1.4MB
MD555d53945f1753174a8089b98f81003d5
SHA1d18f5f76636f4659c111794c00edfa9e9495c256
SHA256c12222a3db9da6c29e5cb863e7f75bbff8bacef68335f06a91090531c30eca81
SHA5125f3a2d4cc7685c31fb653d56c9c59654eb3be256782eae6f69beb33ed2b9bb9bc5c917de3e01fe4a0427fefd9fd4563023c32c7b5a9ce2c57ba0618fd4c5fcb5
-
Filesize
40B
MD523e6ef5a90e33c22bae14f76f2684f3a
SHA177c72b67f257c2dde499789fd62a0dc0503f3f21
SHA25662d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790
SHA51223be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\63df61af-1a50-4b42-ba94-96049275d21f.tmp
Filesize193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD50f62439ed0045ce81c92c2b021bcebd8
SHA1da25f23ec013bf00cbb2be98ce08a3bb5703ab36
SHA256595214779d9665237fa90eec198051ca4eb5bd2b456b7ba797794065c41731c2
SHA512b0408f1ea72916418dee9226606bc549b42154bd134d0b38d554c1c6613db0d8dfc2a35fec86f7b20f894adb496af3937b16de0582213908ab46951747db37d5
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD512c15f14c5856f58105c409f20f07d9d
SHA1ddae73550fbd921039faba014893a35684f08a1a
SHA25642cf0379aa4d0755b5eff079a167d252e1e23b8427b8649eaf7c036d93bba4a2
SHA51276aab1c4d15a71132140350163ecbd698a3d8f4a37d89d0aa8f2e20f9397d53cbd324b0e0d81d8593d1b61324920e33ab3a7d7d686b6bf3ff9514076ecc2ec5e
-
Filesize
5KB
MD5648d234d16233879b376872c7a003dca
SHA17ea7592214c2d98b6135c9646e1684b7db3f863c
SHA256ed49e6875ef198e048878eea09eb8e6f117c885ac25077d7972b74aadae02be0
SHA51202cd48d43621b8827ce533ea20409ddc2355586466d2c595142ca8ee6e7bede4fa91569ff5f0eec2d69ab35c7b46253fea2ea16c47237a8c94aa8cee2e8c5c53
-
Filesize
2KB
MD58441fa327ce1f6c12f371a1535e655be
SHA17ccca62179f1eb9a2d47c3886ad8ad4bf5b15071
SHA256975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158
SHA512986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4
-
Filesize
16KB
MD58b83f0ca3a48cb841c6cc4e912abdd1a
SHA13328a86c10d3b9cf57a71144e07cf28134b2b3d6
SHA25615266cbc87c4d59d65acb08e27c931ed2768b470542b3e7d543dec1eafc2cc5b
SHA512223a608971a2d050bde7eb0b5da404cc932f3cdf502e865b270198da1a3b25f2340e2a52527eba1a437e50c42b2db8422cf0793a227eb82027f42d663a2a7fe2
-
Filesize
257KB
MD5f7f73affabfe7ca36de4698e98109d75
SHA1648d815fdcadb95aee76cfd4a114dc140a2de563
SHA2560ff7b73a3a5f84eab7cf601a12720c6f6273d9d2525bba0a7e960aa042039c22
SHA5121f7699a6bc6338a579d17c1ef5ec895fd915eb22df83b5125e8ee939d80a8d8d2122bf218d48fb73af5b79d8d7e85a1e9cbfa80d534263f0a4e395d1a88193c3
-
Filesize
7KB
MD522ad2b7b5a641c668b3ee71160d85fbc
SHA1a56079885cebd467757fbbeb98d5c7eed381b876
SHA256aeab6ff2ce6e44c1b234c144911e36fec249c553e0061ad10a20fb24ab1e911f
SHA51272db2c2e79c1940975aa2f116b859acbb67bb226159fe26b9343ddc81424eb6917d903694c8b958c88626b8eb10a581c629d3792e8f24bf18510d36765d7cbba
-
Filesize
8KB
MD592ce6469d49fb4ada9c24793d1631880
SHA1de49a85656a1b699e97c567b025faee5d36732a2
SHA25679893a0812781ba1a0015ef675e095d936f39fca302ef9e73804b330b246b27a
SHA512ef64dcfb421f565e83fcc8d9d26263985dfb12efff1676fa503cb6002a0fc2105722b8bf28bdd4a6d91418d268d8fcc20b38453731be191fc962ee3347ee35dc
-
Filesize
12KB
MD52660b2a8933fd5d310d61b2ce1fa610d
SHA1de6259d4bb0415d2ab109ce0ea4c417e776d04c3
SHA256b95c7704831152ff6cd26dbfb7b3a931997c36a74cec6c398a18c4ef6edd8839
SHA51244e173769e492cfc3b069eb70da8cde1dbad25c8fad7cefd3893aa5df7f36c237a1d855329f5fdc6a796adc5bca5d6531d9c9e1e50dde58e641240336707db83
-
Filesize
1.3MB
MD50624deb51ef00a77da1cb6267e670c9f
SHA1e18dfe0bcf64ac3d9bca8cfd90975d34725414a2
SHA256d342898bf9aa9e7073d7268130f7902eee8f1a87cee77eb027eb494fc77a5b48
SHA512c2e9cbac756538b27c648a055fdfe4f403387f0f29b132d06b81681b94632070101a45b321853f78cdb634ae1d8ed8787e54159be18af2e764bdfa39e5a25014
-
Filesize
1.7MB
MD57a8f528207e83a597a7b1f518d4c8657
SHA13e02a8736ad4d2a870a8e0302d32a6e52557789d
SHA2564b59744027b389f4256d8b563102cf8d8ea2b4e6184652e93ef1dac04d389e97
SHA512ff64ac87e49ba1330bb37b46ac075315dcb99df5fa05c14b10b56487371bffcb57c69e73bfc915af4054cd6dd4248ed7d977eaeca095e9c21a1e3cf04bed53fd
-
Filesize
1.3MB
MD523033229ec46c5c9ac5ef19a856184d6
SHA178e49d29544c136f11f37f84ea022df0d31f0d07
SHA2563edc83a5253c0375cf7c9f0b62407c2b475e5903f59e3a4b83d49401b3cde5ba
SHA51224ffa1af04e60b440c036b3f327d1e46d366800d6776413c1d617f03522de0a59bb0f105a62634cdb0c845748937d4a97487c5a3ee2ad8ab3e52d66025d4a832
-
Filesize
1.2MB
MD57cb5b77db96b026ead1d59ecbb16e477
SHA16ed7f34f031d3bb356b4512b7842af64b7b25ad1
SHA256d674629ca62a33a6d9c8462de3f6822eaff7dae2d6b0d15493f705084d172d72
SHA5128397b6f42ffeff22cc691dfab19712b88c0db7730867bdeb1da6f950f593a51ce48b76de629259322572a0ab76c6b168775482b390500674a35af2dd0e6d1be4
-
Filesize
1.2MB
MD50b13bbcac08db72aa95271f532cd38df
SHA16a7bc830ef850b9a3973043af36bdcaa8e818bfa
SHA2561e6ad92dba205e9b180ae2fd888745cf51837ea280642653ad2939cc16f86bec
SHA512ae6df88ceab80d8f07cf66a72f1247efa8387772a19d56df89e44d2da721aa10d809ba4f067bb2f1b645e6c12a3130924c32315d0d8139f80845d991480a016d
-
Filesize
1.6MB
MD5faa3fa60e1562e6188728160e6d4662c
SHA18e13d68842ce82f9cf35287e373d61c70c174fca
SHA25689083da5e4f8c773fc608245728ad6162ebc32e81abc4ea336bbf9c577f962c7
SHA5125c7453e9841c7fa4ea4581b0d0eae47d0e48455f4dea70b9e5dd07e3947b8b851e5cc2e443847325363cc09e6d8b704d89ba395053fb77c5f6c07b28bfd15f63
-
Filesize
1.3MB
MD540b618cdeb56db45eb5688fdaf36ab33
SHA1f2466bf4cdc0a24c3236e1e9100193d955f72d1c
SHA2567b1239b76d98ba4ba3406efc2b8aad39bc0c8c29e778acedbded8daa784802b9
SHA5122250c16694e0f4768ef42f3a49c09e75281e8965c84653158d68d92c5b4771abbea3bc00bd18f989e5d07c734982dc9b43338765b4e7f6216d80496b2f73b12b
-
Filesize
1.4MB
MD55b263660a04ab80e91c0d1b1ca4ce484
SHA19cfae5aca10e11ec0d9e7bded5c8824d9ba09a54
SHA256331d908e0fd5e343ae899767865efe1a9b2ed1968887744ada44b0a491b7b806
SHA512303ed2b94096bd4d6a69365b35439bd15541e04138f0b41f698f29a0c4e0b0f38d937e7514285fe2f1bbe8cbcdccf023b1380fc1ca1ef0743ae2dd4f19ef3407
-
Filesize
1.8MB
MD532ff6047e549771bee351ca68399bbc4
SHA1b712c2661be25de93d58c73bee4aaccbaf5b689c
SHA25654499f56148bd6f4ed9ae7f621ee48e4adee87e140858ea1abf3cacd846ac44f
SHA5121b9854fc555182f9c8992b692808856f7edb7243bc26e30c84615ffdd2a2ac881fa055803acb9eff5b51a0e539ed3b04273d955f1c418449d2ac900504240fb6
-
Filesize
1.4MB
MD539d16449553a258aae8e11cef6506931
SHA1c29b36e0fd309cba2421b5b9e8f8cbe18517a995
SHA256cc93cee53c0edf00b73902b497d1f2ba6666ed07500cf2eb833591eb2f8c8730
SHA512a8881fdf0a8325867324431c3cbac6ce0a20894142519082498a8b5a6c0d69548bf68e220cf05434fb5a0bd7b50342b99d28ebfe497a549e4cba9961366acd21
-
Filesize
1.5MB
MD5c491e6b4b04c3d00b5923aec7c9782b7
SHA14deca2b0b61564cfcd500cfebf9986ee49f002a6
SHA256807a36c3418bf6b75dcd3910951ca68d94480c59bf3e416ac8e0b4cf862c2081
SHA5129456e60b4452ac00c789e1eb7caa9bc305f1d5dcc40ab78cd78969b360c57dc100461385c0f1b20eec26ca1c4b9e9d78e2a819db2b07fee6d6b2b8b1b5f668a3
-
Filesize
2.0MB
MD578d61d326e01cbbd45cdf309bc7319fb
SHA1fa8e830dcc38b2bd5e92e1d8b74befbc9c26c746
SHA25619bcb211a73800189d7796f9c29a48d936cf0b1daae596b2d21672b4d5938ae8
SHA5121fb8cfb13c361cf17c583401919f84c4b1ab8938ed637a66c35231a091cc713e56f5ca0f7be25f9a492489b6f953afbdd0d1319a8a51fedb085aba9de7812533
-
Filesize
1.3MB
MD5ea0477f7f3cb90a2c7f671bbf0a0018b
SHA118cb50bbdcfe3f3a5dcfe68fe95e8a785792c767
SHA25614bf950c67e11a9a069ab13f4f7fe08ba922ae8369ca90bfe72af2074fac9851
SHA5121c47b47c63dd558af5e111883276d851acd47d78b4090cace2bb515886dc3725327b9a0535a152ddfac1476b18234d4cfab157600f5dc0a0587c425f3a8dd44e
-
Filesize
1.4MB
MD5609f96011fbade7a41eb2dac525570ba
SHA197697ae893d75ca7fcb21b99e04ecab691fc7731
SHA2560e33c30f09ab39a6f035f9b67459d35be560ae0c6afd93e8635aa4436d7dc72d
SHA512e5dd9da7d7dd34638b018994825b8d65302c249624c8825cbfb53830fd9292634c56daf5c541ffc394ddeedfbd4ef908f9e7a2cfaba8bc026fb23c1634f357ba
-
Filesize
1.3MB
MD5e2e64404f6942a5c79aba48ab3405f20
SHA1a051430196b464bad958e19034fe5f8de6caaee4
SHA25614fe0fac54b3075b6cdaddbc2a6ed3d343802ca5ba0336052916a14f3d439142
SHA51251eb39a809cb4a8451446c0e17a8f9bebf7718171646efba1f02a44994646628b6220580c553433ffcf2bd16619708c6476d4efe7a599b5298a40921f5a72f49
-
Filesize
1.3MB
MD568dfb714d908d1ab98ddfb9d467bcc4a
SHA11d15af91c59a148883dee8cea984505a88ded585
SHA2569a501242e6f8826fb85757bb80466a69001bf55f116373c0d3b21b4d435d1fa1
SHA512410f48520c3d1923827c73527ba745e190d8ea3341e97fec3377f809dcf6bce83325763d909101906efa24db79c91a957778dca2b58d9677afc0823c46b7513f
-
Filesize
1.4MB
MD5a092cc1ef38c5c3e104c1bf06af570e8
SHA14090fdeddbaddf0614d08e5df6bd70f230ee3093
SHA2565f8f71c48e9ccf1677d7fb8749b84bb8427f038d0060a8929de512681c312851
SHA512bca93040a414da33f8a3d5eeec5822739403ac5978f008c61d280c04ec25ea3642547feca4210d18d3e9779f20800221b1ff8089bdae0f217dcac7c11f46cb1b
-
Filesize
2.1MB
MD5d703e21fd52efb184d7beba35a359393
SHA16365141b2779cf6b06b148fca3ee10c00f01a702
SHA256ff2fcaabb000c879c4df9b609e8ee88f4d15af1753a7f727ac1f8ccafeee3ae9
SHA512ee0bac623a9eb0e837da5ef0c383ab7e8735526b87834cac1faf09824fb02dae55f4281c4b36ccd4db25ced056ed9ba9878925a1f4b135b3d7a9e1e5f5ffb13e
-
Filesize
40B
MD5440112092893b01f78caecd30d754c2c
SHA1f91512acaa9b371b541b1d6cd789dff5f6501dd3
SHA256fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6
SHA512194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea
-
Filesize
1.3MB
MD53cdaef1969d6a493ac1f7e4e9df29261
SHA1cdf9168f599d580f364a1ce221d4ba3a1a84ef31
SHA2561840c272507f942e3fc2421cbfc1d4f6fc83c8916028c96e2586ea4f5ba3846d
SHA512624ff208afe9843a4fe85472175ab41a61923f0c4db1323d6ef70caf3c3613e7ba601d51bf1241a5ddac7e412b9a3e7e9d276f4b7ab0e7e3190f224918607778
-
Filesize
1.5MB
MD59db0fef083920022e808286f08d9f50a
SHA17c8eaeb92d35bb601b398101df97b4e806a50160
SHA256f6ca5cd59e7b9ce08882071272718dde8413a9d42bd0ff118863e8a6308df264
SHA5125c1fa253afa62bf1c6273bc5d5440091fbdf924c05cfa84ca83fcde3d7f519d05a2407e475f57a617496de8967d966876d52eebfb42168133bdb7494f6deb89c
-
Filesize
1.3MB
MD5310a40df43fabf719159f3d69611c59f
SHA117b2380bee51da996b811ceadc10c654d5111af3
SHA256662caf49ac84a853505d84846f1afc70d5f3ce34baef897e2158c23d02f8e19b
SHA512ef62a3032cc39eb07929cd01688a759eb2f05142aa52ba7fb301cc21910ac318e90895953012a2e7b3bf424264b8ab61740a9e65a3482194e4038f905864b104