Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 22:07
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
-
Size
5.5MB
-
MD5
449dd7a62646af70ce520a5627783019
-
SHA1
b3d00c409fedd3f1be0fe27c9947c21a0bf31c76
-
SHA256
9ef44acf41d5f758ee6d247364aa71f5108bde44547c71f27720e8923786161a
-
SHA512
fb34efa6d28a53b89dbf7808db806d1c95382a11abe7cac41ed1b3a75aaea71a15cb5f90054eabbfb767904f5d3a13ae0365f5a07573fb4117f3d2292cf1e79e
-
SSDEEP
98304:DAI5pAdVJn9tbnR1VgBVmll2/V0cETQ/I:DAsCh7XYI+Z
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 3376 alg.exe 4136 DiagnosticsHub.StandardCollector.Service.exe 2596 fxssvc.exe 4440 elevation_service.exe 4480 elevation_service.exe 4932 maintenanceservice.exe 5104 msdtc.exe 4596 OSE.EXE 2756 PerceptionSimulationService.exe 2772 perfhost.exe 524 locator.exe 1464 SensorDataService.exe 4836 snmptrap.exe 1052 spectrum.exe 1672 ssh-agent.exe 1668 TieringEngineService.exe 4928 AgentService.exe 4424 vds.exe 4332 vssvc.exe 3212 wbengine.exe 3400 WmiApSrv.exe 868 SearchIndexer.exe 3460 chrmstp.exe 2600 chrmstp.exe 6192 chrmstp.exe 6268 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\d7795c70c3a5208d.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\java.exe alg.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0cc886439b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b69a56439b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bfb04e6539b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a67cb86439b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cda176539b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b69a56439b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618396906261437" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070a8816439b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a977346539b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrome.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 3724 chrome.exe 3724 chrome.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 5308 chrome.exe 5308 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3724 chrome.exe 3724 chrome.exe 3724 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2244 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe Token: SeTakeOwnershipPrivilege 2204 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe Token: SeAuditPrivilege 2596 fxssvc.exe Token: SeRestorePrivilege 1668 TieringEngineService.exe Token: SeManageVolumePrivilege 1668 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4928 AgentService.exe Token: SeBackupPrivilege 4332 vssvc.exe Token: SeRestorePrivilege 4332 vssvc.exe Token: SeAuditPrivilege 4332 vssvc.exe Token: SeBackupPrivilege 3212 wbengine.exe Token: SeRestorePrivilege 3212 wbengine.exe Token: SeSecurityPrivilege 3212 wbengine.exe Token: 33 868 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeShutdownPrivilege 3724 chrome.exe Token: SeCreatePagefilePrivilege 3724 chrome.exe Token: SeShutdownPrivilege 3724 chrome.exe Token: SeCreatePagefilePrivilege 3724 chrome.exe Token: SeShutdownPrivilege 3724 chrome.exe Token: SeCreatePagefilePrivilege 3724 chrome.exe Token: SeShutdownPrivilege 3724 chrome.exe Token: SeCreatePagefilePrivilege 3724 chrome.exe Token: SeShutdownPrivilege 3724 chrome.exe Token: SeCreatePagefilePrivilege 3724 chrome.exe Token: SeShutdownPrivilege 3724 chrome.exe Token: SeCreatePagefilePrivilege 3724 chrome.exe Token: SeShutdownPrivilege 3724 chrome.exe Token: SeCreatePagefilePrivilege 3724 chrome.exe Token: SeShutdownPrivilege 3724 chrome.exe Token: SeCreatePagefilePrivilege 3724 chrome.exe Token: SeShutdownPrivilege 3724 chrome.exe Token: SeCreatePagefilePrivilege 3724 chrome.exe Token: SeShutdownPrivilege 3724 chrome.exe Token: SeCreatePagefilePrivilege 3724 chrome.exe Token: SeShutdownPrivilege 3724 chrome.exe Token: SeCreatePagefilePrivilege 3724 chrome.exe Token: SeShutdownPrivilege 3724 chrome.exe Token: SeCreatePagefilePrivilege 3724 chrome.exe Token: SeShutdownPrivilege 3724 chrome.exe Token: SeCreatePagefilePrivilege 3724 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3724 chrome.exe 3724 chrome.exe 3724 chrome.exe 6192 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2204 2244 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 92 PID 2244 wrote to memory of 2204 2244 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 92 PID 2244 wrote to memory of 3724 2244 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 94 PID 2244 wrote to memory of 3724 2244 2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe 94 PID 3724 wrote to memory of 1724 3724 chrome.exe 95 PID 3724 wrote to memory of 1724 3724 chrome.exe 95 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5376 3724 chrome.exe 120 PID 3724 wrote to memory of 5416 3724 chrome.exe 121 PID 3724 wrote to memory of 5416 3724 chrome.exe 121 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 PID 3724 wrote to memory of 5488 3724 chrome.exe 122 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2a0,0x2d8,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff852f1ab58,0x7ff852f1ab68,0x7ff852f1ab783⤵PID:1724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:23⤵PID:5376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:83⤵PID:5416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:83⤵PID:5488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:13⤵PID:5692
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:13⤵PID:5704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3580 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:13⤵PID:4092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4212 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:83⤵PID:5576
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4548 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:83⤵PID:5584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4848 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:83⤵PID:5568
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:3460 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:2600
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6192 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:6268
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:83⤵PID:5688
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:83⤵PID:6336
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:83⤵
- Modifies registry class
PID:4268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2604 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5308
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3376
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4136
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4980
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4440
-
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4480
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4932
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5104
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4596
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2756
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2772
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:524
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1464
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4836
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1052
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3536
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4928
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4424
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3212
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3400
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:868 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5240
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:64
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4316,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=3416 /prefetch:81⤵PID:5504
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD571d1fd50b07818695dc4e2b0a295de98
SHA1308af57d8dabf626b17826b72eb75fa7f2a81654
SHA25655b3887583b2036c58f7c6caf4b8b241c0ae97d6e4e4d1afafa27a3b06321abe
SHA512dc773d8a641d937cb7db6f4b7d2c691c985a69ec331670eb48b76a98b40bbe849fce6f0ac724b296042378178c10c87c22819fc8044878a66b8af697ab3acb25
-
Filesize
797KB
MD5f15786fcaf30c9a120e8c9979165da17
SHA12b983df2fe2e0e6a04784cbee6e63521a420b239
SHA256cf532d7c24379409f1ac3c6fc22243bc7b61587b4fc8ff305c70cf6a4200267e
SHA512df715c35b24694dac1e16b04f094eeec2ab64673745d1634721d7360c64d21c0cf1bb339d9cadf863c11e6ccd3c361d81e5b4e6b1a55fd3ace3d1fcb065d2b12
-
Filesize
1.1MB
MD5b8468604fa568ae6e2b6d0accd4ba923
SHA152daf397ea4a1e85572c40f0d8b537c51efb4bff
SHA256bf4b781420c829702f8e35887c3778eced6c02e2e401deafc4a6e8227149c608
SHA512164a888bb19998eceb91fe54d36528bf1b86614864671d1161bfe7d3150ffb536c21ce2e30a34f7c4f319770b5b0ab5ecc7f9f5987c547add0bf55a219eeb1ca
-
Filesize
1.5MB
MD5667bca0e2664aa9646c8779f6d4b0030
SHA1a8e0bc9550802e242ab9b745fe48647526a33a2f
SHA2564219bb3ac282df6586688ba0e8c1832e01deb69e2d003803836bfc0d91f51fce
SHA512b4910853dcf969fcfcc5ba52682c07bc66d0bda14e438bc4fb1290d904e671f91d8b0de5ccc0b12febb0b17cd3cb12fbb1c96ecc05add2f1f22dcac9456664a8
-
Filesize
1.2MB
MD5c217a6fc93806c13ea68151d322d41cf
SHA1e23256e9107edd626542af5e8dddcd01eb64f2a2
SHA256730ad7e1345f094f9382012570d847f30d55d43b417dea30addc590e48cbab33
SHA512cc179cb35dc325f031d769316916b11facbcc550155aa44391206c5f8b17f4ecf744a4ef4effba2ce637418d82910baa1c260e189f41a7c217182f35ff10b3f2
-
Filesize
582KB
MD5feef99544e82bb301410d6208a0f2fe3
SHA1f7de72b1e2bc9c9415719e0678b781a945facacc
SHA256743e2becf410673aa693d63f5f81fc8c8667698c049a78295dfe650b0beff3f5
SHA512c9f45424f1886780b8ee55a86110b5fc58c9da7b7f381d4225cf8cddc0996158642eec27c8355835c4c206bd28c555138b727f0cd53bb40299bb314c63ce4b35
-
Filesize
840KB
MD5e757c51c2820924eee7bdc5f863c6628
SHA1c134773450880499ffdd8b15c1507edf3103085a
SHA256a3928b8ab20f1f7f37327e916c833e25409aafdbd56107c93376a4d4ec8e468b
SHA51246876437e4aca916434c13a09478e3dfee160d4264cb89ee40e599e87c0fd18c1013789c23d11646e66bb8ee9f1e5792eab5d152cf7cd22afadccf628c8f5d0a
-
Filesize
4.6MB
MD5284e286a8ebcfb83e70eb8f3639fc7a8
SHA164dc32e226065280044adae74a07b65ffb5723b8
SHA256ae6f5465bd2d262e4fc0d665f697b9451d208631200bbd16b98c0b200d2ec6d3
SHA51274578c6a409a8c836c3742acd08f6a53d3f4141cfbae32997db22b9e2cd2ab5a1a3401763b49c46f76b9d031a85d5bdd001b472d6cc62d569396ff9f20d05114
-
Filesize
910KB
MD549ccd049ee4c98d578346c7c7ab5b698
SHA1c80fa21e615f7d003d6c0a5e00ab2d5dbe7e5230
SHA256456df2e437cdf067b8c7fb6a77cc9c6708c7fe800fe875c6f4e56220b9cd7c06
SHA5129500701f2b139b7356428b85bcf7bb6f0de7efb5c5ce9c2ac820465258807a40c9425412170becb68b5c76115a195c9f2f316b80520a4385fd0d559966d18f00
-
Filesize
24.0MB
MD5b341c114162825088129fa39745e15e6
SHA18955ba2c375882f19b3086db6e343dda3ccd7947
SHA256a806ffd50b69b9560f6534c729f759dd9d9cd89a14ee0afa1afeadf92622488f
SHA512ccf533145d205c23dbcbc1fadd66b227e91af7481f694cea8530d0c1263e5bded3272d712687b15c0dbcfd40834079cccfa2183c9b1c23aa50675530f0145c93
-
Filesize
2.7MB
MD5cf4cdd10633296b08f714d35dc9cddf3
SHA13caaf10a2a17ff7dced629d62c603be184e9f73c
SHA2566b107f30526345b361c777e6232291bec5e61806a56cb94a7d38b1bcdf7b6196
SHA512eabacb53bf6bf9f8976f9c95927f0716d83763fed363c6283a68b6b9c7ac07469e9098ad9ab2e4fbc4a2075fda19d6d9e29cc9dc9e43f6b296f5d6ded16e155f
-
Filesize
805KB
MD5fd45bb4f9d10112e9eee0aa6cd17dba8
SHA13839b755aa892a73071ca177408f46f0dbfd4869
SHA256cbe0410bfc71136f32c40258525487ed9a5d6b53de538a470d9dbc6d136b1259
SHA51264b2d871b2b00eef59d5af5965669f3cdafc69a9cbf4fe600db3e1f0a31a282024f188e63c16c445d8e70c5295b0132d760d8af88c5d43d2ea1a7834b4c0636b
-
Filesize
5.4MB
MD5d03a854e23431527528f2f3d8f836726
SHA1031e9a8f11fbff1692ef8045d027afb861736cc3
SHA256ca284d262daa52fc4559f61eb40deaf08114d1e761350a0211c4feb171c377d8
SHA512d20636649cbfde332f03e0ca49f1ce6d169ca6f00ddd48ac8ad3e25c15f86395ea0b2a548525aa5170e0c5c401efbeebfaebfa82c129739ff69d41e1586b2976
-
Filesize
2.2MB
MD542b8b50d0dd9bd2ac896659db2308745
SHA1cf55851937f26ecea13f20dc7c1859b5c4f10e45
SHA256caa1d93c257ad04041dd2bdbfbe4d2e02b51dd6687e18ae8c280c66fb26cc3b3
SHA5124fac7fceea84511911d7b7d5ec5f9cc62dc000de4ab2831d8ca47b9c4c698884d270787970587f4a4aeeb9623ad8a4a80eea1a750dab2a1ef64cc029c09ebd75
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.2MB
MD5dd4e8d328f346a46379132b555aa5d1a
SHA17f99990c23f9eba9863ecbfd863c3fcc77825c77
SHA256ee92e09f14ee75811577088a70467faaa4ebd46f4c97dc6e16edce1e162d2cc3
SHA512a128433640b31ce68a7b068a89e3e7cb56ff4d098ba6d07ce287282918055153311520d9f4c681e94a9dde40a686bcae2e866195388eb2be9b14a142030302e5
-
Filesize
1.5MB
MD536438a31c2f71f0d9e780238564419aa
SHA1a2f83ba020b778bad71e767859245126f7fee372
SHA25642a98be454f87efd0fdaa9c4436b53e88dc4fec165352380b02b23431f791ce1
SHA512aed8e288a5cd49e452629dfeaa09bcf08e554aaf454d168b3f7d09c4d091b034009786701399afe804b2d9ac25e4ec01dd39c9ecfef4480425b6674b926b90c3
-
Filesize
40B
MD5e646991f9b7863013f4543e5deea2d49
SHA17d3ab1c249b15c5bc5761baef819fa96b043539a
SHA2560cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07
SHA5128b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD516f48356ddea1d87835483ed7b0d066a
SHA1c1f0f802753a6a91ce7093dfa58014ccc9cd546e
SHA256260b342a920111449c717f9600c27f03deb5c0acc6b3cb4910e5a104021fc52a
SHA5125149a548dde6755b0264c0e47759b243d39f9cda858d4f622066d7d2d485cf17f9d45a5b1dae5d8bfaf3ad0200143fc43509ae975d87f6c7dd41a0ef21d8b7a7
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\e5e6b2c8-3c7f-4fd5-b276-1ed3a3ceac6a.tmp
Filesize354B
MD5d5f9a9e90ec546c51de87c4503e7242a
SHA1e6c568c962ce5c83874c99dc16555bde762e4759
SHA25617f9bbb3bd1b27a069561bc20cafaf790610b274c282a5fd11bae71cca092cba
SHA512a5d3c17a879b5397131754abd968d626a6efc60a9b35023307f3a4618becb96e58f79ad18a8ef4471499f78d9c3c22153520238fa75f8871da2cb7c9b7c4c933
-
Filesize
5KB
MD56763fc733e2ad835c6be517e5c64cee2
SHA13ab339b47cf620113c31dad6ef1972f6755555bf
SHA25631121fccf365a9f9797b32480086f25a85928650b49f3cf9d1f6703da0aa03c3
SHA51289b1fe916d1d48872047d68ca44f0653b57a7c4962e4344a8dc24a968408c7b721e5947fd5534060e2029b4d0edb532a4c6f67ff9dd0f9f181b59584c17711dd
-
Filesize
2KB
MD5c4d12c24a85b7e1aaf85cad983fe7610
SHA100bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb
SHA2566568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337
SHA5120d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6
-
Filesize
16KB
MD5a1ac483d324bc1d7821af73ce7192bdb
SHA19f13a4f73f45264105f312420577e2f68a3bc1fa
SHA2565c47cc3abb00df27b680022eb9ee26663e8bc36b260990e0c2c2c61e19837125
SHA51208946de384d1367996ad9855b98e542207fd4af2052eed541debbcceeef223090a2ed3ae94afd84373d931515e23bc5153b33d4765953732ad8ea5e6e55f4df2
-
Filesize
261KB
MD587ced794df71b42bc704f064d034211b
SHA10cc08d1f031fbb5282b74591fc9c851073157851
SHA2562460a2342585ce89d1cede428176796a1565593a8dc2c3d19ad8bc9e6e521fb8
SHA5121c3167250cf9d5357404141a958eef25308183c24a52a008487570d74499fb7e4d6f4bc1436e2adef0daa31bb370593bdee0d2e2a1308d7695e710a8ec357111
-
Filesize
7KB
MD54b807f8d8c1001a439a2d0428adf3150
SHA1d4368108b81bcceffa86a3d1e1865059f2858839
SHA25659c49692e79c0721b5e108c8ed1b7889a8455489b687a8139a90348770236e6f
SHA512cea57ebe2c55fd91fe5fd9a4fc948dd93f9f6ed453daf73fe184ed9575508bfa0d5be6d8783df742d38005dc624a111b61f8fafe637b102ebcfe14dbe18f10d2
-
Filesize
8KB
MD58126b63d6abfdd0d86798052a9558eed
SHA19962c4e3ac4ab70f2e18190272f6ce72d6751ce8
SHA256a3e0dc46da11209340a21e0ea76157a3eecd9aca72079f4c81d35af4c65fcf1e
SHA5128e1939d76c2b32aeac36462fda8d0fb2cfbcef8a25207f7a7ecd2cc356c550b1daba90d568c1f6b538bb4a9c0e2e4f9a9f07706c553d3845e22251b94a4ddc61
-
Filesize
12KB
MD5de54187f7e7ba8a657f178bd20ca50ac
SHA11190aad6e1f7d110e399b09646417aec66991dd1
SHA256550cfe2b103b38c43b5f50928cba2e4422f914869ac7102281e2ea7521551119
SHA51234428471de45e843c02074a6084233daf2d2a37a4a839c28336fe71235c29d7f6b17d92731fe8007b2e58c88b2a1ca29cb9f587b81ac943d02e5c3fb35e21e76
-
Filesize
588KB
MD53635f12d259d9bc84a84ae1061f4e2b7
SHA1b1d3ecb5be78e1f0aea16802efc21cd5f07101b1
SHA2565b7cbd86a011ed293d1e852693fb0eef8726d456daa5f202f6967f3d16c04385
SHA5121fa1ccd5c156f36b3f0fa86f5d40617ec815d165073d5468ae929bf32bdb43b3601ec6d77a7da92a9e0098a6e795d2b21898ea5de044e9e058adc8d99a6826a7
-
Filesize
1.7MB
MD52550eb922b31961686d5c0deedcf20a5
SHA139ac863fcd8a400c402fa6518ec15d24ebe2a797
SHA2567cc255ecc7726d1a7d8848a80a55dd743d14acfcf5f0c48ba47af2a3adacebaa
SHA512d9a016d0a1c855ac2807d52c80d6a368083a9a2a477751e62d5842221396e6951c1851d84c4bc7a8b3b2aba5f8f279f6afedb045edd61d4e6a8b98a55244a82b
-
Filesize
659KB
MD50d73d361e5200b98e2164b08fc29e8cf
SHA1551839714c0e352a1503be5ae8172dcbc599568c
SHA256ab38116afd4b47ec04416f04e036825a6ccd759fa217a14396dba5fafd08baaf
SHA51245e21a64ad5c94f10b499154a21f6a65a7731ab3218c88d578229ededdd273c7c6169826d69442f55181c8b511babc034e6be70eec9584bdf5bdeb2f836ec68c
-
Filesize
1.2MB
MD5bc90b745e17e519a5d6c0e55fa3eb423
SHA102e391e29cf991f0852b3b0a00f90a28f1429900
SHA2564cb9a1e1117b6accd10bd482fdb92b53c2f21bd4f5e42e92858fafd7627153cd
SHA51211d488864f4997befb67400b374062dade0ab5d9d59ee6c1e9f56c0ff6a71d1d542cc8d705550dd84ed6e75e5a0d5276edfad519a7f63a1e7464b549ba1edacc
-
Filesize
578KB
MD572e7a7cbbadd1ed5c7026333a7c0bdd1
SHA158d74e3472163f6c10a1211644fec7890a3eb901
SHA2562ba8dbabad43ddbdf749173d8857861224bb485457ee06d7b53c7a0f8377501e
SHA5125d3a9196e37dd4ca9176abd659235acc62407e72664a41549a2ff225f78e4a72c4bc7527c332aaedb7ebfd3df48563c2dc1f313467cebdbf6d88e0edb6f89aaf
-
Filesize
940KB
MD5e27f0461a05704002bbb7a2a00e27658
SHA1c102ef43824d5151f46bd7e1efcc59f3ebe951f2
SHA256fe72a8f63cd54f672658cd0de652ae08b1aa6a809b3af7e18c3dfd468f1ad06b
SHA51230a238b94b7d1c482fe3c7b6d972225b30beb5f91ffa190da71626fcc01dba7855c1baeb7a2f4d63b042f1810519b90ee1eb4280938f72982475f515be1596be
-
Filesize
671KB
MD5a17a7ea2b6060472e27d0f39a9c0bc23
SHA1bdebbffa7d71d54d7fd5f2d9fe0d8cc6d43a3403
SHA256271ef660db0a05c3b09dde7d75af6d960590475c99477bd15bdae56d5455fe02
SHA5123ab1b6367bfb6313f0b1fae8553e54c02cf67354f0efaa1be3215e66395cadb938226a00a0fbd5e26678248a55db0e7f470c59e4878e13c21e318f16ad7109e7
-
Filesize
1.4MB
MD5f8cdce15a824342b984b6fa3107f1d51
SHA1ec380f85d3c92db5d7e6c8b450be3cec05c2db47
SHA2566bcafd3587eb2f135c0677af1c87cad9cfcac1922c0f7504d5dff23aaac47374
SHA512c15fbb209118b62158a1fb83980e8622d6d33ec5c2dcfe70828642f37a5b084b002c7811a5993891aa76eb2745bf864d6553ea89c0727ebfe06c09cce2784a58
-
Filesize
1.8MB
MD51a2b224f17daad981d28bb7f75e544cd
SHA1abdb89cbbaa94daadc6b1924c6435223c4470f6a
SHA25655df047a2c86335c25c92c184feccad6faea4e440de530f5d2a62259b196eada
SHA512b0bf3d9f38b9ac0d4c54e496dac3e31d5281330ffd865bebd6143534d12b7620e28ef765447a3180964eabb3253747666c2017eee808b27610c04bbc3e59b9db
-
Filesize
1.4MB
MD5e396d0a8b00f15fd1a9abc78cbc2a222
SHA1a6f63f2a10ce3488f5551e7d463b24a9ba396dc7
SHA256e34ef607710b7ebc54f518f5ff7b741bda0c889792a5f20a07784acdab3f42f3
SHA512b3ace30490e494c871a1ce525115cf7103964ee28904eeee343126e3290e5641cdc5dd966155083683bdcb1d14ad1aa1d66ba7c56d663a63cc24244c5e8e87f8
-
Filesize
885KB
MD59eea0a2dd5b84ba10e07e9dd45f768a8
SHA17c08d5a5b68efe0147d7fa224359fea9e51b8e1b
SHA2561168e37c1f7277006566aa05e864d8e114999afdc68c7643a9803949211f0eac
SHA5120b5efebbf0c4e3b6cc5d3f5b7d4101cb409423466d56c63671cd7ee88bc87f19fc51c83c01bc09df651d99aae372929d981c6a7f0f0ea6672846f4169f168202
-
Filesize
2.0MB
MD5157fd48d976d87e165171ff00d511585
SHA178e0e02011f2be42398342228b9a61da949d6a33
SHA256ce97fe8f8340bf18b095b6bd29e292fb00bca25d75ed29ace8ae69a678c9608a
SHA512353024181b58fe3c3a080afdd5f7199aff86151ac0b755b9a28433f02847eb26012acbd57d95d27efdd7ad493f51477a567d8bf88e3fa12f91c4f9179aab68ad
-
Filesize
661KB
MD5760c81d8b833032487b15cf4161d8cee
SHA1af90fde06d488d6e8b42b6e952118e1d9713e374
SHA256380b7628486f2ea9cf98496307872b6eb7e15bc840928eb66b1dcef25fd3ced2
SHA5126ec1fe5500a7ac7be720d2f1e842afdcae1c614acce79b442604525801dfb955f8c2cd5561f5129eafdc675f9228ea29c7f71de5c1162e4c2ff211ec18318b0a
-
Filesize
712KB
MD59a40c8a3a37c8b5a8d7c09483ca9006a
SHA1372dbbfe54690b0d37d3f17d599d1bd312429206
SHA2566daf9174d8aa01ecf0619a07aaeabcc0164a59cc3fcf68337007a07722459f96
SHA512bf276efecb587d76e55bc5fe6119d6830fb479634f1fab9aacd657c1f45729c0760246003e531459fd494f15643fb004ea7f521592d26d9415ab076e3a751eb4
-
Filesize
584KB
MD5e2ba9cf3e51008fcbcdb979db3e1fab5
SHA1b1092ed662156cfa7661e1a0798bdf2614426fc5
SHA256ab5dc2045766450d532feaff591bbd8ba9b2c54149ec3b6a218d11ffd162aa94
SHA51279be44d52464fe53748e83bdfe68f45016703351ef14435064e8a28fa525b4d2a484300e7102bc6edcddd51cb9806bc84cc0081c6a0ca253ec9c8b15deecf129
-
Filesize
1.3MB
MD5765e27cb2f10b64a87f695a5c380b7c4
SHA1f1642b6d60116963d37a4fb1cd379d3494b372e6
SHA2565a5414a15cbb16378859129008435fa8df75a5a577ad289da03e0cfcf0ba6261
SHA512ec6339becd137f84a4428b82b833e4cb33000f6470ef02df7366779de998897f518909d212849ed55a995117e59896920dd262b756db0e849b796b317030eae3
-
Filesize
772KB
MD524b1e1fcacbaaa15e699a832f6882eba
SHA11860a94d8ece567a3643f15beea8eb4e2caaae5d
SHA256f3a3d87a26363fefb1dd99c8493bce65c04184951b4837cbf9c59e8a2a85fec6
SHA512be74a30bfa092b7b6a784611c22ae9a814a630edcadcb28f566d56e34b6e338078527f0e6464966678bcb516af250c835c6fd06f079f0ab097925fdf537def7b
-
Filesize
2.1MB
MD5005e0cf9bdad50c74892154cb010daa6
SHA1dc96d7f0e92e9dddc989e382aa086cf2d46e994d
SHA2564fa276418393ad9e6eb55ac1413f59bbd2a297a8e8d675c22e77fce511be73b1
SHA5123c1c18c17e5a064bd8c6ea6d3fdc74152efc39d0e537edf8e46098ca91702578b8887bb3db490759b53dc44730be51ee1a3d05ecd6499b1d60bdb562b0b5ae91
-
Filesize
40B
MD5de12892063f81f60b11c0497ec332fa7
SHA1ccfa0530f55d277c3fe6d75260088ae08d5b7616
SHA256afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae
SHA512441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca
-
Filesize
1.3MB
MD50c40e0cd4f83a5dbbe07a815b0bdaf73
SHA17d97feee3ff4c73789619451232db1772b0d50a8
SHA2560bab945ab8ef811ec7ca419c5c398a31c0b3434364618cc97ef2b32a23dcf203
SHA512856aea4f3e3a657c9910c888825a75c92316fc4fe1fc5be1c7b485f170404f9e9d0665ef041d5d00ea34de328fa7d8e69bc7994639f59e2c8295a02041465b41
-
Filesize
877KB
MD58361669181536c57edbbcff088e5a992
SHA1c1d85132bc31df9eb46be5e8d000982132be8d03
SHA256286ec65cf187e3e7c93db41487c1adb79f456cb9242792ec498bb05d51ed4527
SHA51243c11afa3e509d9c5791df2103a5db4ef20b8aa144e1dfeff5e7807057b0906d33115adee8487c425968b5983858def83892979075fcc95acb4386790ef73b31
-
Filesize
635KB
MD5fc19d5ecb2a0edffec4c38553a2d1249
SHA16957e877b734bd1993a055c98b831edbb6df257c
SHA256054719f059968e0200600fdd9c97a380445b0ced08648ad554312015d424fbf7
SHA512ade247840ae3ab79a57af95d76688d8c52604b01965a199332f241b5b79356086f6d2809814d425d63df0af5ea550d290330ef87a5d0dd370a92f1fd668335e7