Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2024, 01:10
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe
-
Size
5.5MB
-
MD5
a45f805c8c54ecfd251e3344a8d56e38
-
SHA1
14a351bac1b8e280650c3686877a433ade1ad057
-
SHA256
fc17f807726630879573382970c725e4c53afbb3119093eb020c290d5f4fcfa4
-
SHA512
f839a7f0a22ed739ed09a3bcd158e387841105b44daa32f9b013fd2133d0056ff23c01cacb56f6df32b81df1efa172e356ee91cedd6c4edffffa11e40029a745
-
SSDEEP
98304:DAI5pAdVJn9tbnR1VgBVm1U7dG1yfpVBlH:DAsCh7XYcUoiPBx
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 4344 alg.exe 508 DiagnosticsHub.StandardCollector.Service.exe 1220 fxssvc.exe 4112 elevation_service.exe 2036 elevation_service.exe 920 maintenanceservice.exe 4684 msdtc.exe 3596 OSE.EXE 3924 PerceptionSimulationService.exe 5100 perfhost.exe 4448 locator.exe 3128 SensorDataService.exe 3500 snmptrap.exe 2888 spectrum.exe 220 ssh-agent.exe 4392 TieringEngineService.exe 3204 AgentService.exe 2056 vds.exe 1592 vssvc.exe 1428 wbengine.exe 3740 WmiApSrv.exe 2956 SearchIndexer.exe 5428 chrmstp.exe 5556 chrmstp.exe 5692 chrmstp.exe 5752 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\61de6582bb5459c0.bin alg.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\java.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000dc9716840aeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064b0da6840aeda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005913dd6840aeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073385d6740aeda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc10566740aeda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e081c86740aeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e260456740aeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008846cd6740aeda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 1200 chrome.exe 1200 chrome.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 364 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 1200 chrome.exe 1200 chrome.exe 6772 chrome.exe 6772 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1200 chrome.exe 1200 chrome.exe 1200 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3528 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe Token: SeAuditPrivilege 1220 fxssvc.exe Token: SeRestorePrivilege 4392 TieringEngineService.exe Token: SeManageVolumePrivilege 4392 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3204 AgentService.exe Token: SeBackupPrivilege 1592 vssvc.exe Token: SeRestorePrivilege 1592 vssvc.exe Token: SeAuditPrivilege 1592 vssvc.exe Token: SeBackupPrivilege 1428 wbengine.exe Token: SeRestorePrivilege 1428 wbengine.exe Token: SeSecurityPrivilege 1428 wbengine.exe Token: 33 2956 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeShutdownPrivilege 1200 chrome.exe Token: SeCreatePagefilePrivilege 1200 chrome.exe Token: SeShutdownPrivilege 1200 chrome.exe Token: SeCreatePagefilePrivilege 1200 chrome.exe Token: SeShutdownPrivilege 1200 chrome.exe Token: SeCreatePagefilePrivilege 1200 chrome.exe Token: SeShutdownPrivilege 1200 chrome.exe Token: SeCreatePagefilePrivilege 1200 chrome.exe Token: SeShutdownPrivilege 1200 chrome.exe Token: SeCreatePagefilePrivilege 1200 chrome.exe Token: SeShutdownPrivilege 1200 chrome.exe Token: SeCreatePagefilePrivilege 1200 chrome.exe Token: SeShutdownPrivilege 1200 chrome.exe Token: SeCreatePagefilePrivilege 1200 chrome.exe Token: SeShutdownPrivilege 1200 chrome.exe Token: SeCreatePagefilePrivilege 1200 chrome.exe Token: SeShutdownPrivilege 1200 chrome.exe Token: SeCreatePagefilePrivilege 1200 chrome.exe Token: SeShutdownPrivilege 1200 chrome.exe Token: SeCreatePagefilePrivilege 1200 chrome.exe Token: SeShutdownPrivilege 1200 chrome.exe Token: SeCreatePagefilePrivilege 1200 chrome.exe Token: SeShutdownPrivilege 1200 chrome.exe Token: SeCreatePagefilePrivilege 1200 chrome.exe Token: SeShutdownPrivilege 1200 chrome.exe Token: SeCreatePagefilePrivilege 1200 chrome.exe Token: SeShutdownPrivilege 1200 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1200 chrome.exe 1200 chrome.exe 1200 chrome.exe 5692 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3528 wrote to memory of 364 3528 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 82 PID 3528 wrote to memory of 364 3528 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 82 PID 3528 wrote to memory of 1200 3528 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 83 PID 3528 wrote to memory of 1200 3528 2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe 83 PID 1200 wrote to memory of 3424 1200 chrome.exe 84 PID 1200 wrote to memory of 3424 1200 chrome.exe 84 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 4292 1200 chrome.exe 111 PID 1200 wrote to memory of 3704 1200 chrome.exe 112 PID 1200 wrote to memory of 3704 1200 chrome.exe 112 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 PID 1200 wrote to memory of 2756 1200 chrome.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-05-25_a45f805c8c54ecfd251e3344a8d56e38_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:364
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffceba1ab58,0x7ffceba1ab68,0x7ffceba1ab783⤵PID:3424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1908,i,16591191851203232244,12637277530684096287,131072 /prefetch:23⤵PID:4292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1908,i,16591191851203232244,12637277530684096287,131072 /prefetch:83⤵PID:3704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2176 --field-trial-handle=1908,i,16591191851203232244,12637277530684096287,131072 /prefetch:83⤵PID:2756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1908,i,16591191851203232244,12637277530684096287,131072 /prefetch:13⤵PID:1224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1908,i,16591191851203232244,12637277530684096287,131072 /prefetch:13⤵PID:4800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4412 --field-trial-handle=1908,i,16591191851203232244,12637277530684096287,131072 /prefetch:13⤵PID:5356
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1908,i,16591191851203232244,12637277530684096287,131072 /prefetch:83⤵PID:5488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4700 --field-trial-handle=1908,i,16591191851203232244,12637277530684096287,131072 /prefetch:83⤵PID:5520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1908,i,16591191851203232244,12637277530684096287,131072 /prefetch:83⤵PID:6136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4280 --field-trial-handle=1908,i,16591191851203232244,12637277530684096287,131072 /prefetch:83⤵PID:5168
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5428 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5556
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5692 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5752
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4284 --field-trial-handle=1908,i,16591191851203232244,12637277530684096287,131072 /prefetch:83⤵PID:5576
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3736 --field-trial-handle=1908,i,16591191851203232244,12637277530684096287,131072 /prefetch:83⤵PID:6528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=1908,i,16591191851203232244,12637277530684096287,131072 /prefetch:83⤵PID:6540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1908,i,16591191851203232244,12637277530684096287,131072 /prefetch:83⤵PID:6624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1908,i,16591191851203232244,12637277530684096287,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:6772
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4344
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:508
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4396
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1220
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4112
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2036
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:920
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4684
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3596
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3924
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:5100
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4448
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3128
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3500
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2888
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4336
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3204
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2056
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3740
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2956 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5812
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5988
-
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:6136
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD57d1bd2d25b3ba166e6dd4ff9e3cde71e
SHA1a48f344ffad2bb04065942b209b36dd5a899c10b
SHA2564787c2a7d91666231a9ed3fc98e12fe8a5b232f720cb2ca9ea58a5e86490a447
SHA5129c65304ded32b0f5573aff13611e97d6f2f60bccea8652df2b7cb06bcb0d654a7bd28f2a410bb61cb5a063a7ebeb59068a1e3697e2b03af2cba5d0534cc39cb5
-
Filesize
797KB
MD541de1f407d7c543fa0093cb8a543c6ff
SHA1226c34779206eeeb13362b96bc20214b4fbba9a5
SHA256dab784a65f14b12d40bc9da0600e1a9d6dd7649b1323cecbd373089b6b345be0
SHA512435e93abc6bb7d691879eb36c32fc34b1d036bd08d6965b1ecda9b1081b3dc306fb51c1a3be796f52138153668b1dba5d23005a402c926f1b29270efee912ca9
-
Filesize
1.1MB
MD5e663ee82b374108f529955e41f8813b3
SHA1a3d647855b3234bcb7e9507a18908b3855cf2a2c
SHA256d009611669cd5c0dc39826b20cd159664fe0f6dc4e1b3fa2d867e0a14ca6cd67
SHA512bcfa359a2881a719eb4f5a546159bb4547c20e973bf51b4a0ea1491913d7b48918fc8829d75eb92ef0df2293544a212d0e9ac7ba1f9176899ffa55ec178c1f99
-
Filesize
1.5MB
MD5e7c3c4c66f6591736fef99c2b4faa3c4
SHA17907eb654a1adf0568cd24772118b06218aab6f9
SHA256ee121b8e3f392f89b3b9bd776cda820daa76eff960fc6c616fd40fffa0ff629a
SHA5121614a0138dfc25c080582a3455ebeb72ed5b0a12a5782791b3d5c0849a730dae3db9ff26eb0333494dd2818564865e808b8b7dcea048eeb2857a4fa16d7614c7
-
Filesize
1.2MB
MD595606d10bc8d5c6936ae7aaf590f827c
SHA12d9db781760146fb552d7d23ebc485577a13ad27
SHA2563e6d0070078f37d00eade0bf67b97e09221a6e192043c89ff61d0d345680e3a5
SHA512e19cef11c9c510f471e9d4f01ee78958c114872c6608ec58d59580f4a197aeedbf483176b0e8a48b27728806734ab61eab58375c2303d3dd995c805976df59da
-
Filesize
582KB
MD517b69720f3fc4193bcee6fd0322577d8
SHA11f466630eaa24140bdf83d9486a669d0ec7ebb7f
SHA2568e4cc260be6ca33522911f4714976b7e39adf4b70c3a0230662e7cb39d8f6f4b
SHA5122ccf2fe9428ed62cd5cf20f193af4a828350ab22968b10ef6e7bb847345f570e3e8626f92e68c1f2e70b729e1cbe6af92a86f6c9f7afdd9669b6869b3260a236
-
Filesize
840KB
MD514b52258a93cf81a54f351f2bc01fac2
SHA1bdedef125e7db05b7ae56bac2c990593c90c4fdc
SHA256d1760ab4a405d50be6dbcfbabfc9d7096866c40c69b10cff0149138422242bd7
SHA512b92a0c347eb4ec533bfe81d06db4730b30903becfdabe7943178ca1dcd8db7d4d76dad83e09e8ff472dcd293408f2725f7beaacb4bef4999f6c4c22ff9187254
-
Filesize
4.6MB
MD5448b5187db17677e34d49e26e77f7037
SHA15188f92240afda188858838ef802527a83afae67
SHA25650a0d252bdee73191a54f2668d97d482d98c67625b14bee8d5e712b1e301e6c7
SHA512db781115728ffff2678e83ae138d6e075caf81b3ac635005401ed2daca189dce910d2f71dcd65a50d45e33ec8a9ad4db29eb95cb9bdd3a0c361b36cbd19a3153
-
Filesize
910KB
MD504aed34802424ce4e7d5bb81378e7e80
SHA199019fa79e34490caf63846644f54767fabf3182
SHA256002ea12eb9a757f7075cc293fe3a39dad79f7c84c4e4e68d186ec5dfcf59d286
SHA5127cdaec2820c0444cc8c6a0ce71d9cd599168c1a73b6e8f549a8c0c5d4961b6790b8831659d5cff6267a990c03a26f118c3e98d68c965300a3796025e6e1e982a
-
Filesize
2.7MB
MD5bfb3a748402de64db36df6c8245eca54
SHA1069b268564fa86b528e4618d45d645f5059838e1
SHA2562c8f141ddb655a59b51b17e749bbea56c1d2b0ebc283b7a129cfbffa94ecc5cb
SHA51202cf1e7e3121bec302152f165425c7759980ea69ef3cad1697d513b0b10eaf74a328e5a7a3c35a37db7f0571ed7e20664b4d5abfd3b70d0e73aaa3c1aaa59d92
-
Filesize
805KB
MD5d468745e80fb7bd1f986d186a9e84ce6
SHA1c1a6c60c28f8f37b73aeaa9af44b6ee2b03489c2
SHA2569469d2a326f58d8e7a60293673df21df496d4e94c093e8281f868723600fa8ff
SHA512f961cddd0c890a67973163f0bb4752939f7a9df5ba04e20f0525e6241870d5158a6862e2ce0913ce5e5e746a4f669bf49bb8c6fbdc29106a9767f1e34b21b4e4
-
Filesize
5.4MB
MD50f3d1f757ca424e37a4a66cc81150d16
SHA154a7a8e0cd2e179d7c87c4483acb7c318b2a6d91
SHA256f7d937a0a862722dc2d88ca9e86b313680084dc15f44b28933d442258c8cd566
SHA51275eac1a729b8057c7b35358fc9d468766b479456123944f1d96799918a0a0e6ebbdfde57fdebcb57b42e9170ec9420931cc8300eb098f48116eeb6638450d757
-
Filesize
2.2MB
MD5172f86bae4c15e2ea8e77a8b8cd87d78
SHA176fdc676d5ab871ecc6ce434e19a508cf8da7a5a
SHA256da0c0df64597da82e3bced052c2d6a6b0a90da7eb856e9f890f6fbdbc2fdd654
SHA512f09689bc0d95728dd287b51f9823c0690d98fe8e246adab687fd06efd93ac4b4c13e96f9ec29acd8c0dd78336ee7e6b5d77765a196dae9c1d8eed895f25f5065
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD5133ec972ad6e127fc09067cae476b780
SHA1ee64dfac31f4eea5827aec280b26a110916a7b7a
SHA2561d2b408d1054a0fdb1dc3d47f045b50de34949d111e7eb627811424c637bdf6e
SHA5124ebad42c39b7ae0b66fc58bcbfcf4e5624900f77f80f9f82e6c3315f4c9642d9319a45e88694434a704a07b538b61f739eb1e95c95b5691e7f039a7dc7ddb378
-
Filesize
40B
MD5772424160a740ab46f10d75ee3f72e87
SHA1ce1d08ca4145f6a14ce3727642af5a997f73d1e5
SHA25600ee43ab7fd127a5e0b86cb4db053f67544834eac165db5b54f4b1d406952b84
SHA512920600c6e67f96b735a40de5e0c4bc1c585f49dc7e92bb07295bc0fed6b1ec3814f5813690d169d574b7184a6cad67cbf97718c224b0cd95cf7df239ab536d88
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD5786d1e461d2fca3892e5e430e5ad7d6e
SHA14bb86e9b543702951e3921e6ca7bf8c80c8a2c82
SHA25649ff46331e39b97888a718a516935e7344d2b1107af042d05f33184891e27998
SHA5126be62e01db10062032a6e970e4620efbb3a05fc802f5b06cb37ce0d3c7699772c792212d0999d8ed728877e82c6e1c91e326da9dd50f7b5c93c7b40a3df5f8ec
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5caf94a5d9921168bf6d59b65de9aff12
SHA1c1614bbc6e2407d33c9cc8ab89c642fc3eb9ae87
SHA256f249b22ea9ed15e69c5fb30ae1e49e05de86291b87e65b11f5f68c981af6c769
SHA5124904735f7f30d67aa31f04a3bb5da0ba2c3414679104a2999c0cd8c67d3618bc02c047f614136e38265b6c921e7e77b87d0316bcd0aeb112ea1ae5930b645a0d
-
Filesize
5KB
MD5c8db18e8f405c6c13994f692bca71389
SHA1ae09378fe449be4eef28b2a7fd52bebcac4c9e86
SHA25671444c2e961d8209f97c53573e6554fd9f43b88e8f0dbfdef7d6abee5a57a754
SHA512270fea47d5bae8c89496dcd0304df42a30a268756f1c7fcce6398f18dff25b2d361773afd810320b6b2bccb91d4922fa836da442976ac12a8cca6cf4b61e07e8
-
Filesize
2KB
MD562ef0b2d931dee49ed513961ece66048
SHA175ab8dd2d029abdc0701a541bf3076082b6e0c26
SHA2562363d110b62787968a21ae43497d60d50ad3e2a713303aa36834d810f996344a
SHA512ab8379f396349faf8b51cd6ef4cb31c2d16da749b9902654227175423872fa6d81447d28926892602644a35b30f8bcb9412ee90b0eea93108cf6eb1b8dfbea94
-
Filesize
16KB
MD592f6210a3a5019fced55ee815b01ddb6
SHA1e37a892acf4aeb05b73cf058a6e65c61005d9807
SHA25682bed0acd2f3baf1482bfa1fbbcb93c39e8e367bd9fb8d93fc89a75bb5929e91
SHA512c7af24203ef341330bbdd8bd3b0eb2f5e55598dc2989d20edc38f43b0808ea45d24f9a48633c8a20050cea842ef413736ef9644cc176af7e8509df7aebec5921
-
Filesize
283KB
MD5960c826460a910697e2194d3896dc31a
SHA19cab5d7b8eb20f2895767d136e20e8a58b8a0036
SHA256b5bb43c8eab49efe66a569659e23f069bdce49893c29b397c2ac3ef7dfb89c85
SHA5125a7c80b358721b0f94c0a803ec4f73d98a7060488be7806ea6a3bf5fec42f21e37c2a2b0ec287d4f8e9058782e9c7c7bc48a29c257aad95b47f4c3bc997b9522
-
Filesize
131KB
MD5e2f06eaba0d8554daf7408fac1610443
SHA183e435f3dd0e274966700bb845d5f9c9c0f4bcb8
SHA256d7c91f618ba34dd1b5484dd842b7ce38f7c6907df5e107c80c2b17dc956acbe6
SHA5120eaefe2964b7d3a3c5a2f47fd52078fdf4d6e3891e1835e833ebb93278d3304e2cca5ce5cede567764f8ab0ccd2fd4ad0704dfa02e34ef79d7666b818dca5112
-
Filesize
262KB
MD5479b0d572d38efe9aec530a57ca5762b
SHA1a32fb9342466de3b7be97cb7855f4c1cb4e04f45
SHA256327be588404f13b24364e26cd8189690166a8f0c9df80fc1e9a6bedf928407d3
SHA512b3a5e45aa32f01ace6eeb3802a47430d53c9c44c364e98a52302c2620222a689d3b752f841d96f61bf20361a8d5ddf3e43326cf4a3862431c67b03f2a88ac2f3
-
Filesize
262KB
MD538e303be7ccd94422796973ca96d0ca7
SHA1b3fa72bd5d7e904c2a1cc972a95cbd8b3284a811
SHA2569c15569fbd9d50a8d090f76eb1227bde33d2df7973e5b1d1df005fdcdd60220b
SHA5120e8889b641ae3caa964ad31279ce78189068ed57178628e516c38a8d1e02a37bd6f117b8aa72dc9d2e50220e332935193460b52c1f16dd6a44ea83c26dad0db9
-
Filesize
88KB
MD5a8a0da7cc265250373dde9da034ae9ae
SHA11d289eef0b70aea4e1f71fdda60cdda6bd9832f5
SHA256c9b7dcadf9027b8011d7fb6974dd0f2d06cc43b72dc7eb58bb39778229058af9
SHA512d8536bbfeca96db196e212aac8efbb3642256f45215343c1d87c1ae6db98549c25bd4fb1237c8f67abf1201fe0961789572498b70dca94ab6dc6fe16d35717d8
-
Filesize
91KB
MD5e8ac1593a0cee30fd6a94060a04b3ecf
SHA10e5da596bbe3ede58d9c3524ce1fd7f3082565fb
SHA25648e66d51e64b7ea838005009b95782c1f5ae98401d45dedb98028b2cd655a611
SHA51269f5683c80ec13fd0ca1a6cc987386a4a0c893d579f4090813e6447dbfe2a63bfcd27f7b32e5068978996a02752f29bfb0f21bdfcc0e797c6a672c99cf8f41bb
-
Filesize
7KB
MD5a0280ba358bcd1a1aa092654c2f04bbe
SHA18b4fad73b1d10ea24bbb4cb59a6fd129bea4db0d
SHA2565985153f8e028b2191fdbb60975632663ee764c1496578d5d3e32dcc3324848a
SHA51214c8884fad3d2e2b1dcfab88530c12c3320006645cafcf9537d920f095cad27071f06a0fd651ade48db01122f58b57ba10004d99e07153705213adb97bd4d881
-
Filesize
8KB
MD58427513918f4b1340eeae41f124f2e4d
SHA13f319375f46b58bf7b698c9a9e9c52504c66858e
SHA256fda2c6e882154c058e87e719f78dbcf46a22e7d46351a0caeaa650c4b1b176a3
SHA51239ae1c39996c26d6d69c2c62e79ecfb374efadfbb7091f7a17a3761fa60a250df01c9211849ecd1c3ad62822d84394d03412fccede726a103eb4cc549245220c
-
Filesize
12KB
MD56702a9c1778e9f18478389839139a2ea
SHA164c2615420a07bf2af3080adcfff3ac05299e097
SHA256bac9846b4e0c6060ad6151100ad576240a6c27df40d4aa5169cba1d5ce88d132
SHA512c8a571a612022d7ffc3332809703ed32f21943b065f589781f82f7a488c6f9c435affefa2e58b2edac98a8015a4f6f138960bfde87b0de87409ea6f3bf05ce1d
-
Filesize
588KB
MD558e501a7ad107fd1615a0bd517e653ac
SHA133bff28305107b41c9dc037548a6560524e5d054
SHA256412b8192a9474bc8d1ada5b3b98bad04a0f26e6de794381016ac12429d929371
SHA51281c535d89b76e52b49e0dc47ddaec15686195c3fcc21045f237f3b580c586b0cc201533696c2be08056b4d9da4813fdfb975aaa913a089055b70207a1169568e
-
Filesize
1.7MB
MD54d55a9920c3029fa0683240b65d70ce1
SHA104f7b73e1decb67059ec6cd66856dd20a099124d
SHA25634adc2e1e9a3975365bb8fde4c323445df0fac1c7328b0777a33e0031c10014e
SHA5129658b2c38cbf10852a852ef73aed0afe22f92bc345514a876b83c23815b95b35bb7fd0a8de66b9f4c9b49d61fcf536a049b74a65b82c4fc9e99edbe4d784a7b7
-
Filesize
659KB
MD52fd31983cced67163a3de8121824f97b
SHA1d6f8963cdd01471b16205952a086bfb46ddaa765
SHA2565f838478232bbdaf374dbe61cd7021c4751cdd3899aff18b8437169040965aa7
SHA512d1cce14f4472485bb8a82dc88010e7f1dd8ca92358ed59e47157dd4ad915bc85163c06d23cc40741c3a22f4baa20b00c69bed27c0e42e565051431de23f0de57
-
Filesize
1.2MB
MD5b2f1b310bfb0fbba50bc16db16100a39
SHA182a2bfd361540c1a5690dafc573cc37fbbb7310d
SHA25698ed40669a19181578b73101d7bcdbb39bdd5f485d333e6d0b81f88d31475626
SHA51285ccce1c79dbebfbfd11fb3c3ce53835765039cdbd8649654f4713496f07c568bd70bcb6fd1b6cd55f769fe43eb358c3a3d3a41cf6004d5f1b881290b1137f1c
-
Filesize
578KB
MD59bb6c01a218c02e294ebf4288e6ae741
SHA10fe836d04c753e82bc07dc485985edae5a859d9f
SHA2569b253bd24e0dc5d435dec16aaedd94a07e521c3ccf0d5ea6897c333c2f07d51c
SHA5128ccaa3359a300ded92858c970d0c2538c320ea729d7233a52e32f1d71fe103f1b412f7ead31ce6368bdbac2bb40b62d327945172eb209f413dbf984c9c93bec4
-
Filesize
940KB
MD54a466d3fc53a4492d21c1ea87365b160
SHA18c9eaa9e1792317ccdee155b1206885c2862e5d9
SHA256cc34cfe75af2c2add1d08cf509ee14895214d99ba97d65e8cf3caa69f7ae4dea
SHA512b56447daa382c4a19486ad2c1622b1b82c97126b14bb003ef3a13d480b8d9999bfada8ebb343c9c24448f7652330ad0ff053d4026d2ce697ce5b2a487bcec127
-
Filesize
671KB
MD5fdc0cdd0334479cb9d970f23bd4d8452
SHA1512c379657b9b4d9b6efba74670c16b834a8cc6c
SHA25601133929ccce03c6d8be433a0560e48487c7897bdec34e80b734a988ea1934e5
SHA512b8f6bf7fbde28980377789a9abbd63aee5cb76552fc8801ab0507ace42662f9de07beb90dea7b3d255738254b84d4824322d3ab82fbb55ac167328bc8f2b2361
-
Filesize
1.4MB
MD5489ebe9315101419a8c3caab6acbbfec
SHA18d7c197234e4afb4bf38dccc1f99dbec1a9246db
SHA2567f139194af5f35bb701fb16ac070e2e81a30804c3dac77cdc5be05e3d0fc96fa
SHA5120dfa0a098321b046ecac6911df3ed133b77ec619a1c2924c9a53abdf83b54e3046b27c67ac164602b26c0684bf9ef62c5ac4ffb4ca554fc47f77b56c4a305db1
-
Filesize
1.8MB
MD532272825fe233b7509b878cc1247700b
SHA1051a3b6f61a1983507642a1fd4d58efb3ef57d21
SHA256779cde50826ee4d5ddd2394d1641d20fcdf99afc2a85fbe313c025bef3c03e2a
SHA512abffee2bdfd1c3f344e9da470ff8d5bf9fe726a04f7e5051fc55a0f1e375085de4fac17239869fa87f0ea441d6af04e6a622b2dc1b32a62c3a3a2c91a91e19a7
-
Filesize
1.4MB
MD599e5584d0a3c37ef7174235f5a9d383e
SHA11647af4a1fb2168292c62a2dc2685b0fb8be0b8a
SHA25630b9803a10df34ac213ad8fb9e169bfeb11a6a4f589b64ece801926b4c776f07
SHA512d9920ae6069b6efc7e2bb5a2077a155fe437694eb853b4e0e057e0a553a1fae8893d310fc3044306120b242a75aae4e2ddaf6c74d2ceef99415c030bd6dc753a
-
Filesize
885KB
MD5fb2e3badf5bf9a1b66570b3bb32fb48c
SHA191067a49af6a9bdccb266cf1dc56b64910b1269c
SHA256fb775b8517efa98fdca172cf42e2e01544a6b73064b26354c1103d8f85ccc011
SHA5125969254d66efc421b76d48940e921534a3b88fe9739db7cb487963ddc55eee0a4b24bf3ae0df9657ce9da52a65da19421146cd084aab48c5091126406d7d1243
-
Filesize
2.0MB
MD5737eac800c40f7a52a357e7f924a66c5
SHA16d317d3a73e6f4e61ce2fd45a5d5d8b4f3c56c51
SHA256ca21b4545914a4dcc2fa18d59c331a8120503cd65fb44834390df6924414845a
SHA51240068251263c8ff41fa03e93a988db37ef52409c02cc4eb4c7cd3018f86280929d2cee0408d4a925fd12004f74dc5e26b582a9c7e82619bc5c179586547d8f65
-
Filesize
661KB
MD5ce4131eea6760c3977ba8d4d5d181f9b
SHA1bfce008b2e540ddee72c35d7e6b80bce82ff0df8
SHA2566f4ca27c19cdc78a966fad037ce4362531f79beb64890fe7b4f511df9260f8f1
SHA51245e6aea032efd7b94d126d695ef0ba0efa789725a8812573ebc58774023348a2fdcccf7634cea7ccf5134d885b8790be00f83db8e18204500740465517f74260
-
Filesize
712KB
MD5eb2594e78db553ea827d0d5d12064527
SHA1dd2fea2507d293600b66cc32962c4f5e96e8da44
SHA256eafc457f85b5fcf6b3d4e5f188921ff4e322bfa2b6e58b2e14325cd75fed7df2
SHA5122dd36bf5ac2ad6985981cf14d66e8d6f37cda5f583dcac1359d1a6e3be5727eb71d9653786c71f8c6fd5b7c7a0d0691a7125f1826dae46be4873c1f993bf9591
-
Filesize
584KB
MD525111a786c66f4ee0a8ed41ad6a75383
SHA12928dff2d87fdc8161cd1b00a6bb6f1b8b144f86
SHA256375d5f7a50683620e6d04778608c0f86e794042349eee74869a3f0faac13113b
SHA512369fad1a3af9b4902e2e3ba1a2d5b8912a09339ad8ba297b998efe073b01cae7625571a6e2fcaa5fe471b2715e8f1c454be28b641568b1c3fda6bd763b313915
-
Filesize
1.3MB
MD533328275642d176fc2a9610c4baef2f4
SHA10cc293aacf43a722c120468ea81d6b486bf0e2c3
SHA256acb9839ef5809f22873cbca1ce5f336cbf82b6ab5335da4112de3b07f1b0ba46
SHA51227499003edbe84d9919cc04aee9bd76c1c520443f6a4fedab78c84a157ecc0493899b438e3e2a5f65ea7ea8f35eb5863a73be92763334c72b81508a000adfbe8
-
Filesize
772KB
MD51b25dd20433b92eda133a92d216fa98e
SHA1fd9cdffd435a898f928499df1811f1531f26e615
SHA256424a13ffbf21b496dcf856773b1a240170a4a3ecb0d2617696b6eb663f430a88
SHA5124f1063d0f9abf720fe16ccbbbc5296e32d88b6d2aadb1986108a8e47fcbbeb7f43bda7505098b7a0f92f34fb136420c0dbd54a5f590ae87a43ea659337dc24b1
-
Filesize
2.1MB
MD51eb11deadc79c9b275697b20120a83a8
SHA14a7c237f8f62a77d0473fe99e6a259cb50a9b407
SHA25631941b89b35ae48c4caa4d4cb46381dcb76adfeaab4f7fe30ed05f6702ac7aa2
SHA512837a1a2999a4da04405e4d3fe13a7aad65727726e3b9dbf9adc77c38758d18d84fda419d6a9984d8fcc7434004e062abdc7043a074c4ca43b7c8691a97e1de68
-
Filesize
40B
MD5257036a0fb3d2768f2801e5d32b9ce30
SHA10634d123cc54fe889f179f59136e47357ff7f7d3
SHA256fe6257986f35787b1ef9628e36a811d3484fff46899b61381086da82e363c462
SHA512381a451ab3b3c97eb3546554811f0784e5341a7f668b9ceb41dc077d34ebd26fbb29b2e0ab21b2a52b8637b3998943c14ce60380b8525378d37ccdceb0f0e5a1
-
Filesize
1.3MB
MD5e8e2bf2fccf65710f4b5cdfca698b900
SHA139dc4eab9c06016bc6c63d89643e6b727524b1f4
SHA256dc76bce9e68434bb921e5460902d0155943665827a4fdbafa85c8e3d6b87252c
SHA512fa781a6b10e7d7d75dc0eb01d41a16932f85e0d66c989b284025a13608dec1d8c416434585fb80449d4f4709165603990af252c0f5b1e31bae33275213f224a9
-
Filesize
877KB
MD501a7819e5bb007d305254f3c05289b98
SHA15cb0b53b42694776d229eae083a82b29c08393df
SHA2569b7ae16cbf320d75fb4f77abeca1608f6bcedf68d0a6f25468cb9a0a3743defd
SHA512447f5a7861e24890deee9a88ef8f7822577ab992fb7f428294b46a772eaa42c33ba7c0f40a231f6f15ca8b2bf12719e64a94b85f92b395d25674e6c611349f78
-
Filesize
635KB
MD5fd5ebeea238e87b040fa925e1b18bab9
SHA10444115da2c7d144e54f50b24ce91bdc75abc26b
SHA256b44a8432259797659c523bd413e2d3df032baab1c182fd5960cdc43e622102f4
SHA512fa86b54247ab00a58a6d817b0466c468ef67b839e4352f5187c3257fbf3b235540b767aaeb65010f8827b9f1d304267bf0ebc49728ad62d811fac259e90e933c