Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 15:15
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe
-
Size
5.5MB
-
MD5
d8779271c4e8b8697ab3f5728203f43d
-
SHA1
5ff2cb371e037b62783d8cf15e269421ff45a091
-
SHA256
8c66a1c5dc97cce8421c9d8c8abf1b2ff688235b4ea47f4dde59fb894d2e59a0
-
SHA512
239b385155a95ba745710568140f4abc25c26ff4733246819c6361732737fecfe1d443c00c5acd7fe4dfa5ecec00bad021bce5527ea02813f679c3fb50c07371
-
SSDEEP
49152:UEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf8:SAI5pAdVJn9tbnR1VgBVmBfEkKK90
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 4256 alg.exe 3852 DiagnosticsHub.StandardCollector.Service.exe 764 fxssvc.exe 3924 elevation_service.exe 4912 elevation_service.exe 5024 maintenanceservice.exe 4116 msdtc.exe 2788 OSE.EXE 4176 PerceptionSimulationService.exe 1612 perfhost.exe 4384 locator.exe 4884 SensorDataService.exe 2756 snmptrap.exe 3144 spectrum.exe 4476 ssh-agent.exe 5100 TieringEngineService.exe 4332 AgentService.exe 1052 vds.exe 2712 vssvc.exe 1664 wbengine.exe 3096 WmiApSrv.exe 556 SearchIndexer.exe 6088 chrmstp.exe 2836 chrmstp.exe 5504 chrmstp.exe 5592 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\b5b18cebc3136770.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618149359468941" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002bef6abcffb4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b292ecbbffb4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9bad4bbffb4da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d11bf6bbffb4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dfe0fabbffb4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f60ddbcffb4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb99f7bcffb4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc035fbcffb4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 4328 chrome.exe 4328 chrome.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 3448 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 4328 chrome.exe 4328 chrome.exe 1384 chrome.exe 1384 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 680 Process not Found 680 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4328 chrome.exe 4328 chrome.exe 4328 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4532 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe Token: SeAuditPrivilege 764 fxssvc.exe Token: SeRestorePrivilege 5100 TieringEngineService.exe Token: SeManageVolumePrivilege 5100 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4332 AgentService.exe Token: SeBackupPrivilege 2712 vssvc.exe Token: SeRestorePrivilege 2712 vssvc.exe Token: SeAuditPrivilege 2712 vssvc.exe Token: SeBackupPrivilege 1664 wbengine.exe Token: SeRestorePrivilege 1664 wbengine.exe Token: SeSecurityPrivilege 1664 wbengine.exe Token: 33 556 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 556 SearchIndexer.exe Token: SeShutdownPrivilege 4328 chrome.exe Token: SeCreatePagefilePrivilege 4328 chrome.exe Token: SeShutdownPrivilege 4328 chrome.exe Token: SeCreatePagefilePrivilege 4328 chrome.exe Token: SeShutdownPrivilege 4328 chrome.exe Token: SeCreatePagefilePrivilege 4328 chrome.exe Token: SeShutdownPrivilege 4328 chrome.exe Token: SeCreatePagefilePrivilege 4328 chrome.exe Token: SeShutdownPrivilege 4328 chrome.exe Token: SeCreatePagefilePrivilege 4328 chrome.exe Token: SeShutdownPrivilege 4328 chrome.exe Token: SeCreatePagefilePrivilege 4328 chrome.exe Token: SeShutdownPrivilege 4328 chrome.exe Token: SeCreatePagefilePrivilege 4328 chrome.exe Token: SeShutdownPrivilege 4328 chrome.exe Token: SeCreatePagefilePrivilege 4328 chrome.exe Token: SeShutdownPrivilege 4328 chrome.exe Token: SeCreatePagefilePrivilege 4328 chrome.exe Token: SeShutdownPrivilege 4328 chrome.exe Token: SeCreatePagefilePrivilege 4328 chrome.exe Token: SeShutdownPrivilege 4328 chrome.exe Token: SeCreatePagefilePrivilege 4328 chrome.exe Token: SeShutdownPrivilege 4328 chrome.exe Token: SeCreatePagefilePrivilege 4328 chrome.exe Token: SeShutdownPrivilege 4328 chrome.exe Token: SeCreatePagefilePrivilege 4328 chrome.exe Token: SeShutdownPrivilege 4328 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4328 chrome.exe 4328 chrome.exe 4328 chrome.exe 5504 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4532 wrote to memory of 3448 4532 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 82 PID 4532 wrote to memory of 3448 4532 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 82 PID 4532 wrote to memory of 4328 4532 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 83 PID 4532 wrote to memory of 4328 4532 2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe 83 PID 4328 wrote to memory of 2548 4328 chrome.exe 84 PID 4328 wrote to memory of 2548 4328 chrome.exe 84 PID 556 wrote to memory of 828 556 SearchIndexer.exe 111 PID 556 wrote to memory of 828 556 SearchIndexer.exe 111 PID 556 wrote to memory of 4796 556 SearchIndexer.exe 112 PID 556 wrote to memory of 4796 556 SearchIndexer.exe 112 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 2216 4328 chrome.exe 113 PID 4328 wrote to memory of 3212 4328 chrome.exe 114 PID 4328 wrote to memory of 3212 4328 chrome.exe 114 PID 4328 wrote to memory of 4448 4328 chrome.exe 115 PID 4328 wrote to memory of 4448 4328 chrome.exe 115 PID 4328 wrote to memory of 4448 4328 chrome.exe 115 PID 4328 wrote to memory of 4448 4328 chrome.exe 115 PID 4328 wrote to memory of 4448 4328 chrome.exe 115 PID 4328 wrote to memory of 4448 4328 chrome.exe 115 PID 4328 wrote to memory of 4448 4328 chrome.exe 115 PID 4328 wrote to memory of 4448 4328 chrome.exe 115 PID 4328 wrote to memory of 4448 4328 chrome.exe 115 PID 4328 wrote to memory of 4448 4328 chrome.exe 115 PID 4328 wrote to memory of 4448 4328 chrome.exe 115 PID 4328 wrote to memory of 4448 4328 chrome.exe 115 PID 4328 wrote to memory of 4448 4328 chrome.exe 115 PID 4328 wrote to memory of 4448 4328 chrome.exe 115 PID 4328 wrote to memory of 4448 4328 chrome.exe 115 PID 4328 wrote to memory of 4448 4328 chrome.exe 115 PID 4328 wrote to memory of 4448 4328 chrome.exe 115 PID 4328 wrote to memory of 4448 4328 chrome.exe 115 PID 4328 wrote to memory of 4448 4328 chrome.exe 115 PID 4328 wrote to memory of 4448 4328 chrome.exe 115 PID 4328 wrote to memory of 4448 4328 chrome.exe 115 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-02_d8779271c4e8b8697ab3f5728203f43d_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3448
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff89e61ab58,0x7ff89e61ab68,0x7ff89e61ab783⤵PID:2548
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1936,i,3818772396647864015,4631378216479123087,131072 /prefetch:23⤵PID:2216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1936,i,3818772396647864015,4631378216479123087,131072 /prefetch:83⤵PID:3212
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1936,i,3818772396647864015,4631378216479123087,131072 /prefetch:83⤵PID:4448
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1936,i,3818772396647864015,4631378216479123087,131072 /prefetch:13⤵PID:840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1936,i,3818772396647864015,4631378216479123087,131072 /prefetch:13⤵PID:4340
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3936 --field-trial-handle=1936,i,3818772396647864015,4631378216479123087,131072 /prefetch:13⤵PID:5260
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3956 --field-trial-handle=1936,i,3818772396647864015,4631378216479123087,131072 /prefetch:83⤵PID:5356
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1936,i,3818772396647864015,4631378216479123087,131072 /prefetch:83⤵PID:5376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4788 --field-trial-handle=1936,i,3818772396647864015,4631378216479123087,131072 /prefetch:83⤵PID:5856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1936,i,3818772396647864015,4631378216479123087,131072 /prefetch:83⤵PID:6040
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:6088 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:2836
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5504 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5592
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 --field-trial-handle=1936,i,3818772396647864015,4631378216479123087,131072 /prefetch:83⤵PID:5224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1936,i,3818772396647864015,4631378216479123087,131072 /prefetch:83⤵PID:5032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=1936,i,3818772396647864015,4631378216479123087,131072 /prefetch:83⤵PID:1192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1936,i,3818772396647864015,4631378216479123087,131072 /prefetch:83⤵PID:2660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1292 --field-trial-handle=1936,i,3818772396647864015,4631378216479123087,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1384
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4256
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3852
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2952
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:764
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3924
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4912
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:5024
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4116
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2788
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4176
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1612
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4384
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4884
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2756
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3144
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4288
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1052
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3096
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:828
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4796
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5bcd6b0721ac6b6ad9d218c4120e8a88d
SHA1d0dc5a8142d635bbae950ebdea7a006a1d5ee826
SHA2565a42b3f46c4e561acd6ee25de83ce0d837505d7a283b15387a71e3aa70827b36
SHA512fd2a5c97ee4362434c560f482489a1464a9d46e48808e55d65ffd498839268161803eac0561f9db4f83e63b045c61cc81db4654bdebf3b02f15ce8df2ecc1646
-
Filesize
1.7MB
MD5653c6dcb381f9471a50c7a89cf608abf
SHA1be36b9c7bd36beac4d17a1a85154e504018d4bed
SHA25663cb9b0df861a91e48fafb54945d65b51e3387a2870fe61b1ff7ca660fdef16b
SHA512f1fd5770119a56f22f1e98dcbbec089ced439d9f94f9a7a2128519ea06bb34125c7cb15095d2e37d9a236ebe971ec116746c7c00cc2814b1ac1780554a300e5e
-
Filesize
2.0MB
MD5169a30db6837fe9ae7f065afbefde692
SHA1d7e64d94e9621ec39213db448f1263241f2ab848
SHA2560df2d4597051737a1611276ee341eb97bea9a9beefeb2fb157aafd6dc198a970
SHA512999b725f1d8c52a03ebdfc596b484388949a03e886cc83134ddcfc897c2b140e07f2348a261d5f61f86d46e0a52f919ffa3dfa5c008cd991e578b280fdd5d4c1
-
Filesize
1.5MB
MD5daba1d49a638b3268d5d75480952a3c9
SHA16d51828ddc93ac600b5566e5e623520849091fa8
SHA25680bad832aa250ed6a49f4f2fd37e829d2d9885e9272a81a6779a5852e3085ec9
SHA51248cbbd05f7514245f3f993486ba0461fcd355879374304d5caec8623311e892192f9c37626b6ddb5116e0268bcc743c37c9f66626965af2f81f141ed16f904d4
-
Filesize
1.2MB
MD59709d964332f92fedab16fc353f9753c
SHA143e6229296e43dc56faa88ec75e271c5c1f832e2
SHA25616a9ac3c7d0f62edb3ba2c87d0f9f8185ac9b368908fd77d732a173219c2fb66
SHA512dba84c847d3b06135a811432e35938eafa9d0e1f8821ecab42fc13508674227d164ff559f7435f61eb11adc0779cdd35aa5be84f4cf31067c1a1fb5670e2ef1f
-
Filesize
1.4MB
MD584d55ac93126ffb0d0133a8777e80169
SHA1bf7c219c65c570fa69af28d568314242dd303f16
SHA25680fc16dd4c4cb233228591424c5b81245433140020e91cff1d83f3dc811a8dd5
SHA512b42f0121caf88e3300e559bddb1b2da729aa8e8c1f46fc385c7701c0d38fe73fbbf711609f8ac0191555449dad804967e8654acc695c57ff03f8ecc349cb6905
-
Filesize
1.7MB
MD5e2fb2b4cacc68321fd444306e672c096
SHA1f09f703b3452570b856b2404e6f5e891bb0649de
SHA256285c11ac73281604d3a7c26bffc77656ba4e05369eeafd31ba41ecb30cee7951
SHA51204babaf47dad1f8497a1632320adc5c70e1733737124d5402c2363d3058c6d0ef6c58e8eae25ed83ca198ddd9f4183df2fb9b0da6252717785e5a6d67fa0e55a
-
Filesize
4.6MB
MD5428fb91871643ba2875d325def36d065
SHA1e8fba06a673bf31f0429f24d595116dcc2770928
SHA256b0ca38453ccbf7d27de542da480667f01226699894e10b58fcfd0e2d54b89d68
SHA512cb596b36c0862a187db0f1707866d53252af4faee438656664e8bc8cc7ed75c31be251c7d40579116c8b271ede98cd68d46a9593d258a57890de1c72ad087f6a
-
Filesize
1.8MB
MD58fdec6013e944a8f701155ba6ddbcb21
SHA17c0f45f1b972538068daa27e4f8d742c7ca5854a
SHA256af466ede97205deb503653bc424781e7f586f0d364c86e52b028e8f2a0e07a87
SHA51217cb54f6d7e860486af7f8d1641a49596a6925e00dfd2b18ebae0e8d75d2e60556def802213e1ac6f1eae2635651f223b2d6f04acf0e633a9144d209a83b3db1
-
Filesize
2.7MB
MD561f417bb1cdde90c7f2e23adb7abb09b
SHA12cc90b0aca84804ea2e68d1f01092e4ad2774c3d
SHA2567ff099c0c5ec3912e9912c241cc799866e485b99018cab03eb485c307bc203e2
SHA512b310fbd9eedb873f47f5269f1a65a353bf713d30f126c4516496c90a0c48d5f7c62c7cba4d832c2fa8952da86130d97ebf06b6b3d8cc89cce58ea6d3489f358a
-
Filesize
1.7MB
MD5b7bb19fc2a5bcc0e572e37ac56fb8636
SHA1013288a4f216f6fd9a739856f5a8580fe3a562cc
SHA25683a3ded9e3de5884039137e2a3731a43a5a7c64db9876d279c9108b60581ece8
SHA512cd9d4ce531d8158d6930c75573b63156e040a896c21b712eac50373991444986373332d6f7dfba6b41f7ce798c4f04d8a93d2e10a58cc1131ae4ab8821686f83
-
Filesize
5.4MB
MD5138cd9534ebae0265337cffd3003b4d8
SHA1cbf61b8b8b4de7e386e4520b9f175739842c0771
SHA256bde017f19b730757d869492f0bd31925f036d7497ea1da72ce932fce09f59296
SHA51215cfe4dc43d917d9c004916ca7f6f36adf173eb693024ddc259af9f7b7949230f3daa1c09073778391071ef11a0c01aaa2b98acf1ebf2cdd751017607d53d6fd
-
Filesize
2.2MB
MD531008e3be3e948ac8f71d0eae15609aa
SHA13d0feead4afec88c37a299b4e7e143daf001731b
SHA25647c47188416071cfec4185a56dd77058599546d3ad8b00442e30d86a348797de
SHA51282a0cb209dc851279164116ddda8d12f746b14b55264a88f0e9225d2cb1279de4078935adc4c6c6d566eb68216eff84a0cb3984beadc265ac64db7951a8b6733
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD54334cc0214593b5eb696dfeab58d9763
SHA1e21ac4256d29f5b44a042029bc62df8181f84805
SHA256e56783df3b0f79c9b476346b549024aff69e2a44982a557873e22aa85c0fb7cf
SHA5127b76b8a7e5a48c170e40d54ed610f2a05162faa1fa7cb3e46e395f38a521a4575340b58d96ed163efb406e6b1b0c7c475c4dbb8917a103ad71b7208b747ccf71
-
Filesize
40B
MD5757f9692a70d6d6f226ba652bbcffe53
SHA1771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b
SHA256d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad
SHA51279580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD5a0e8048146cd621a00b2f2d0f697d163
SHA1d67e0860237d25cc048cb59275706a3ac36d78bf
SHA2568e96c0a849d2c4d9d8698a1cfad8a487315d7be50a10235989c6d3710e1f3346
SHA512354f0b133d885ef43c7b5fcfad17e15868653d93e35f3130a44a015ee1915740fe373ae36b6a495229faf9c9846cee9137c26047af0df742f607d215882108f6
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD56d0728e7a7da550c778e338db4bb6204
SHA135d6190eebeb8ae603b6261ddbf14b2b76a0275c
SHA256a33ff557e57b8040e1a4b549f41286090f08aaf98338a6acf1a38860333fd0dd
SHA51227126eb1fb96ac2e2cd414f6dd3e16cdcff1ddd1996e1f5fc3b102ccaef1a1e6b723c9304f6a4e43e2e667846bf884e076d21a6f8d6230bfa253fa24ab6cae48
-
Filesize
5KB
MD5a5e89278d78b9e6e412d12b043ecc2b4
SHA1b5714e931236ad5f0c5a9f1a9d0ff91426bbb0d7
SHA256a8331c5b163522f80e7deedac75e9883beb5f17d6547a355c26a4594567e2ef5
SHA51202beb8fcc36b08a24594bccff71f107728da5640bb16133d7d03ee59590eb7d1d9dfed378ccf908e96f5959d2198ac50260c9f9553726039fb0fd7613da537b2
-
Filesize
2KB
MD56c38709f2b92b4197d45f6df3df81cb9
SHA192d1adb3512f085dba8c03ea68d926704ebbbda3
SHA256d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a
SHA5123cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9
-
Filesize
16KB
MD5561663d5990e46f105d3b2b2bcd5c9dd
SHA1f710627c264e0f036710edd38937c8f806937338
SHA2562dcfb6c7f089a52e73db07db372d1fb44f92dd17008f2221c5f1fa2b57b2d17e
SHA512fd413d11312d88ea5a0dd322091f9162ef48e3a03878c1997696737182669f4a9f56a6aa15058808a07003e397098ebc1c54a28cb6667354bb07fd07184860c8
-
Filesize
257KB
MD518ac0d4004ed3a69729302cf9b633b20
SHA1c15a02a8a004cbf30b9047d106626921f092da8d
SHA2563f584b5f0acd5ce121a733d45c10642ea4a09b616c10f576e55a6c8b6eaf6ce7
SHA512a212288f41985d3a527c2cbf79f69ed4488e60d92d6bbe45f0993f70c47745377986f7d25e49e066989c35101165de41fc08e986fd9f8f382fdce9f41c52c099
-
Filesize
263KB
MD52cffd1820843b7c71886f1fc37dbb4f0
SHA1dca52c69e0eaa2ae969bad309c26208de11d88d6
SHA25622096dfeddd45b98234d8b8b95c676e486d836b8ee7cd7551cb62c56069f365c
SHA512a86cb1881fa0d42cf5b28a463483ef1489e2c8cf110c73af18d4756abd2b5cba64144c5180387cab417d180c1b4a9c1f597a9bb6f44eb1c06ff98cc2a97d6aaf
-
Filesize
282KB
MD541a01976c487bc874c1f4d725e997029
SHA14624cefea53dcee7f6d44d85d9fb697572e1d11a
SHA256b299543c1ad9d96abaa0d8924deaf305376c1816887621a03f73e5a36aed0f2b
SHA5127d00e20bbf028a583a0c23d21e3e3e7565f817b06feca359f21a868534c5c7add1eeb13b750605b22524aa07661c5bedc922d53196cae82e536c66153336e826
-
Filesize
262KB
MD586be0822bee17fd78a02896694b71d60
SHA1ec353079f838bc8212454abf7a47d8d4cdbc26b9
SHA256663643f8dbf1fac444ca35cd90328a06b007d1a5eab57cb0d1d13266c89b9ef0
SHA5125aea667cc5bf8b254b7719a3d02f0aa04886bac70cc7ad7738c63c2b500d50fcd7781a7b387c395f53f2594702d8d05f2db4d026eaeae381ce242a4a11429a79
-
Filesize
91KB
MD5e453561d72fd7cd8e8f863b9c89f3bc3
SHA19f24c2152c2487ee69fede893776286e01414382
SHA256bf74bbae1af946e3676d4537bea6fdbe9ae964a0e37b3750a5298baac25090ad
SHA512504ebaefcc4bd795258b3d691c73f17d5224637cfb38e099cc77ccc7d652524b6bf6b433f74372786332d6eb42183c491cc3bcb73e4e0b85f895aea37206308e
-
Filesize
88KB
MD5be6643c7b7d1dd5bd4e53fb98ff1b807
SHA10486b0281b67b231076ca2072ef30a054c3f842c
SHA256d4e560698b98c3481976dd112ceb04c29965f20ded069600a17f9b04bc963c60
SHA51286f15e220eb14d546d0655861de75ad6213b3aa250315b2b056bd4a5b6a0037b7231838188aa25ad3819ff175cbdbe9c388f5e28a2af9d66843926906268e6d9
-
Filesize
8KB
MD5e4616e7da2e751c401f465fb29bb5f05
SHA1a9ee9480ae4ddeddcb8374e4c861f34d65efc148
SHA256ea828ad441030348306271d69f0273ab22956e98f62a531355e074d9bde0e889
SHA512a8e5b2c64781a6632fe99e5f9b4b148468cf4b153af0cce6865b7df674e98176268eabcaf193e42351a8d5f70da136093bc6c315b88b6ffd95a9c598bdb8b3c6
-
Filesize
8KB
MD5f890e67979ce412193a1a9fe758e6148
SHA106dc8b30ea0198392e7582e19acf72098d5a60fc
SHA256280c1a35a9f32302b801d5b1d4d840e553881da36d662e2a1109b4c8ee7b0b30
SHA512a1354605ecb7a9b9b0e26cb5e41beb0869a31b533f4e29d6af06e6cea00d94311ad3a8f860234530ab8f9be89780c53b2fd46bd477a880b7f773529ac344bb15
-
Filesize
12KB
MD52469f0969bc1f1be46920a3d4ed633d1
SHA1d7f50247772734719abf3a8c519a3093c815bbf7
SHA256700db49a49d93d25dd00c829b7c9558b3c68589bff90d2a402e0dbfb5d5cf105
SHA512e959b301d192ede86367d32f7752ac7af54c7f67940493d4e92415c54497fb42f8b6d96f88fd3806752cfd2631694386d126a827adb33b3dc6eba3b00a00be90
-
Filesize
1.4MB
MD5e413c03370bb8c2572c8305b218e80cd
SHA199ef13c2a8fd26ec45b14c7469d62f99d640973b
SHA2569c714aec3e535300a6be9b68412adb92fcbd304db1ea43341b9c55946d58c0f2
SHA512c402b2849fa5ecdd1d2a17ba5ea5310071a8146dbb6d50c92b362d9d61410ee6b0185c06e6b8b9f9a7850f9aff5c8a6098097744b404a3cefe3af914926a7297
-
Filesize
1.7MB
MD549b1070df2340c7a43cc371cb15e1b62
SHA1f3a94ab1c756269f457c2319990b6a3fa7dd5e70
SHA256663643f85b717e0d33a6bf3bfdc0d29c56d26b24e5c2042590a9a3ea0643bd8c
SHA512052e18b61701f41dddf6d1bc68992dbe11dbcbefc143c829fd4dadb2cf3ba4f7ca54c38faf6f63b2b23feeee3cd7b8e3cfaad57bef2c03c2fe54b3971bb05533
-
Filesize
1.5MB
MD564518d92763e65bb8e9a54db16ef8423
SHA1aa17af9e409270bc5be99c76fe584621a13c1a60
SHA2566632d82c20988bc3210382fda0fd0d58a39d964ac327a0494193c9cd8113da2e
SHA512ada73d93237fdf84cc41ff4d1dda494db2b108e8a7fab9c98a84c9caac6ed842204e919c022df5786f87f4955321e9aebb0bb3d1086f8bfe35104ee82fb1119b
-
Filesize
1.2MB
MD591904fdd20ff4361433e07c2cd87d2f0
SHA1076eb38bfdad5083180958aec1046c2133e4d18f
SHA256a9189a7481300e3293b112ebd077f5e39abf5536aa415079d1bfa213896ca686
SHA512d2e5dd079902eb5666b43504f8778028a0c198e776c52b8da43248f44b89ef189743c2167372069547e1a83b1ccf5cfe8cd6cf461b1c7f00fcce521772a907c5
-
Filesize
1.4MB
MD5bc3e8725ec2dfa29b0d9239930ca859a
SHA1c0af6b8125cfd7f41182d4487438bcd529f8e971
SHA256ae7da88dc9beafc33569f3beb8d2e97ee755e94a5a347925b7268f6e4153213b
SHA512679b1115dbc684685eb7a9a3e5426b638ce89ebfc1c2111117bcd1308e78097b48df17845f73ea15be7bf47d1de53a25d430134525be7cf739f8bf86b7b45287
-
Filesize
1.8MB
MD51d0073ce0d6d3dedb0847d0a552d37de
SHA18ade21fcafd960d2e27861e9366e0c454f8a0589
SHA25608277854da43d908045210229e084f6d53b9eb5d15e72c602f689f467b80dc62
SHA512571368d6d2d1a16b77adb6439ef7ab7b158b8c87e979279511d379e12802f14f56bc4ed75c2fab637522f30334babcd914a64ac8f0f13e0c426efd9ae1501d17
-
Filesize
1.5MB
MD54aa69f14a2976c437eb8e3c55b3f55ff
SHA1ce8a6da57192ea6afa87baa5ed91f81f9d5fc93f
SHA25600b5e43a87a3801ab1330b5217af485b3d90188abcb6c8059dc60787d410ba5b
SHA512bffcce5761a2de450caa2b92f16125ab3408a2ea7d98fd4f3ee54362730fbd306528ee7714df29b4e10964537b0b915d3be28b39bd4e63da8d1db3246a33ace0
-
Filesize
1.4MB
MD5d799fd99273021abc76a6cd67972356d
SHA1c07fcaf7683762ce3a6ebe381d9aa5aa68b015e7
SHA2568185a47cddd73ca0c5a53ed323da1988725e3da44732d243269cef5099b122b8
SHA512e40e8bc2b18e6c3e4a80b7f9300898662e05915407dc6ef731c8e620e5d966ce270ef16ab033f0400bb762313ccaef45e330252baa34922b1c7b53bcc9803ded
-
Filesize
1.8MB
MD5409662c1061d18a1dfbfa190ad8057b2
SHA162a3cc5b1ecf8b3eb1c573b8a4196cd416cc94da
SHA2561f3190f7fa4efacf8e801573cd9cc0589bd6a1cdf3f6de829267255fdc84197a
SHA5121084b9464b7bd852aba77db6d803b6c165cdeb6c9cbff26c38b8779bd04f24df95dff6f2cc4ccd7bd4e96db590eba9429205d49419f7e171aaaed58996ecbd05
-
Filesize
1.4MB
MD50dfef30dc1a18bbb0aaf267ed93d8231
SHA17097ea4e9602c824e96fb807cb8e86b2c5ffef93
SHA256ef5cabb665bc92dafedfa01c71168131157ea22aeda2e2d583801e55454aa2cf
SHA512f4add5524a11a610d0305ddb6ebaf7e6f4c049b6a7125fb68b630c4f7304dbf4e59df9feb9b3ea83e2a2e9ca4cd396a440e2edf258949484b9cd7d26f89b5710
-
Filesize
1.7MB
MD50d836b05695f868c0898803ef30fa750
SHA1a9f55976a5b66aa101abb504bd6ea67aa687ecfb
SHA2568fc4dcbdca14a4d6c6e7526634b358da386304b270a61d6f7622ed7df09e6c80
SHA512aadf552fec2299467d2b38d6a379b1ad2fbb8cca35508061ffc3278acf1dc93e6e630418028215d870b3f6184cd1265ae2b69b50657f1ad659c851e183f3b4d2
-
Filesize
2.0MB
MD513b607c08f4fab8c75ddeb987fd338f0
SHA1a856baf0c35383d1c29d11c70ad0551ee91ac8f7
SHA256a0e1feb46f216cbc343c623030f848295a1016a024c91ab06a84f97df60e659e
SHA51299a58a7776cbb26ebad642bc7002c3147c4b79e9bb3d0db53d0b821b193050a25d66e76c1d059ea8d9f5b6514fd7dd770a327ee51d5267a0ee86a7deea4a706e
-
Filesize
1.5MB
MD5c4061ac75ae27716a9d6821933bdd738
SHA1f649e5e61f9d4bbf09f66732acfed8d45c101c1f
SHA256f487016d08d2f8ee16b201d465cd6e0b41f739e3aecde371117fad0914103d07
SHA5121931bf76e91d875f09bd0e5ed05fce2ed165dc58a9e26c01d36e347312dd71b7178c0e72cc7cefa0ebbc72c95d011ccda9954c31f70119f15fcd1ade9fbd85ac
-
Filesize
1.6MB
MD532221b6ebeea6be275d37f5154b7ca10
SHA1076f300d28a21282954768172cb8d7f54198e4ee
SHA256af1bcb544dee9a570c3d64dca6e9e30f16f678e1b8f069a51016beb83f1f88bc
SHA51200a5b5f4e22eee8bef223e6316b2996588788c2603608286deb7a9a20225343008cb7c2e6ba4ace9115417679435ac72a4e32ce60d65fe6bd68cb7253fdb7c80
-
Filesize
1.4MB
MD51f7a16dc310accfd0fb0335e96a13c79
SHA1d6aa3fe4814b5885c18b7f5cf9f60f4dcf9487ee
SHA25673f7b5f79fb2cbce790b14053959b902170744e168b9280ccd31fcd709bf5cf9
SHA512a9c6db141b4065ba29a5404f07ef32a4da57d961ed84cc77a4d43a5788ad6a68064f39f3653b98677a9e3931bf164d952edbf3ae3d04e2b50f872d97ab78d23d
-
Filesize
1.3MB
MD5c599aafa4823b536e121bc6bb188d28c
SHA16d5d01747642dd3c18d3052f481da870e8f86947
SHA256f781c528bff1bdacdd9419f5c7477cb35e54c3b5ee4cfa636649b40045a97eed
SHA512807ed2e66669ba024be0519a794fa10d1141ef855345b10fe2b0ecc4d98119ba0bd45a57b6056eec2f33a5186c2a0364db06d3f41e665dedbb573eada46c28a9
-
Filesize
1.6MB
MD5ef0e68e72b26156f3e310c9e358ccb37
SHA127c2531b0d3698b0e4992199145ec8028a79ff7d
SHA256926fe3eb8d285968804cbfaf7d65e65062c0a003486dd23ba971d5c11e695326
SHA5125d1ac6e2b9e15faa033f47a11daf58ae60cd2918b0ef4926d97ba33de780076579fdcd190cd53bc5b796c42c1aeea62f68423b39e08c0726d2ed0c01cf8f7328
-
Filesize
2.1MB
MD5c07b12bdedccce5cff884c446570d073
SHA19bc8c0b1cfeb44f6da2b811a144ae70160a45fa6
SHA256ff011bf9d783b12e56ad09824b5c6a99ab4f921d3b28d1b8768c1fff66d8e839
SHA5128d671f3c7af5aa3418239756cd9664cb3acd704c8375c89e95669a29a621138ca15bc28c900c2e0f9a467a7c71b9721dfba10c3bbbe1940c016eebbf240633a4
-
Filesize
40B
MD58323eb783d4b3475bc1107f7b22fe30a
SHA18b61ba2d4ceddcce64913e45b0b3aaedba641153
SHA256b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4
SHA512a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972
-
Filesize
1.3MB
MD5df1cd14d97c8f4f8133fceed076fa946
SHA186e2aa269fa33871c9d73cf68c1794c63826b4ec
SHA25601cdcf201f74666c247e83f481d030cc35aec4765bc319650bbcf29e4d5b837b
SHA5129ea8064625074c11828843915715053653f33b8db4d79581930b88fef0d47527bf226547092da1396adc8396c9194d26c2bd364bf2b550cb15e0967dda52a8ca
-
Filesize
1.7MB
MD55cdaaff50f6024273a9a56c45b8d7a7f
SHA1124a0dd7ff216ce39cd757856d6ae72b1d622fd4
SHA2566f6c5266cb8e132415dc47921518cb555de5101c5cd8881c3bfd29440b044b09
SHA5128e9c5d0e06846d290c370641fadea7ecb176f64d24dbe6ac6f8f4418d198b7dd7f4bbd8a230608a7270616f468b82ee5d119a7c78f6d624c9a2f1b7380d83766
-
Filesize
1.5MB
MD58640af7efd99563050e72bbdd90ec483
SHA1fbac280a21e1cc5b587e60f229b1433c66f745e2
SHA25676e1900e5eb69d9abd5fc14cd1173b3d7c797606d77d901632b1ada4d47c36b2
SHA51225dce90b0d328fea603dde253688e65ee3d2a74cdc1a4146ea61874353df1e400ba14f39ff0d7474c8fee24a9b6f8b80da5535605dfaf4252f6d874d356cb07a