Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
08/06/2024, 20:35
Static task
static1
General
-
Target
2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe
-
Size
4.6MB
-
MD5
6f3096e341608d237df9a34cdf621865
-
SHA1
4101f5137bf065e4bad0146c9732ab07b752d769
-
SHA256
bf4a93a80035a903cf9f45376bfc39296f6f06c7c81d93fc1c515a70016de4dd
-
SHA512
3fd9ee36d82718570ddcbedbe94b10e48daae01573d00ed4804268da28042c7d74d214b4f9743fe689504fbe1715009376198a9945ce1d410e4858adbec1c7c4
-
SSDEEP
49152:qndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGl:g2D8siFIIm3Gob5iE1EnW6at
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 3904 alg.exe 4984 DiagnosticsHub.StandardCollector.Service.exe 1828 fxssvc.exe 1484 elevation_service.exe 2064 elevation_service.exe 3444 maintenanceservice.exe 5056 msdtc.exe 1556 OSE.EXE 5060 PerceptionSimulationService.exe 4336 perfhost.exe 1836 locator.exe 4356 SensorDataService.exe 712 snmptrap.exe 1440 spectrum.exe 3040 ssh-agent.exe 1432 TieringEngineService.exe 3172 AgentService.exe 4976 vds.exe 2856 vssvc.exe 3360 wbengine.exe 3516 WmiApSrv.exe 3304 SearchIndexer.exe 5836 chrmstp.exe 5908 chrmstp.exe 6004 chrmstp.exe 6092 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\locator.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\95aa8fa4e703f493.bin alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\java.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc188c8be3b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1307d89e3b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076fb9381e3b9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a976e8ce3b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca365e89e3b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047202c89e3b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dbd33c89e3b9da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f42e808be3b9da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006fe57c8ce3b9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002df3658be3b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133623525711643223" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030d58c81e3b9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 3192 chrome.exe 3192 chrome.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 4632 chrome.exe 4632 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1208 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe Token: SeTakeOwnershipPrivilege 848 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe Token: SeAuditPrivilege 1828 fxssvc.exe Token: SeRestorePrivilege 1432 TieringEngineService.exe Token: SeManageVolumePrivilege 1432 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3172 AgentService.exe Token: SeBackupPrivilege 2856 vssvc.exe Token: SeRestorePrivilege 2856 vssvc.exe Token: SeAuditPrivilege 2856 vssvc.exe Token: SeBackupPrivilege 3360 wbengine.exe Token: SeRestorePrivilege 3360 wbengine.exe Token: SeSecurityPrivilege 3360 wbengine.exe Token: 33 3304 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3304 SearchIndexer.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeCreatePagefilePrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeCreatePagefilePrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeCreatePagefilePrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeCreatePagefilePrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeCreatePagefilePrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeCreatePagefilePrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeCreatePagefilePrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeCreatePagefilePrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeCreatePagefilePrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeCreatePagefilePrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeCreatePagefilePrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeCreatePagefilePrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeCreatePagefilePrivilege 3192 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 6004 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1208 wrote to memory of 848 1208 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 83 PID 1208 wrote to memory of 848 1208 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 83 PID 1208 wrote to memory of 3192 1208 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 84 PID 1208 wrote to memory of 3192 1208 2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe 84 PID 3192 wrote to memory of 2716 3192 chrome.exe 85 PID 3192 wrote to memory of 2716 3192 chrome.exe 85 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 1676 3192 chrome.exe 112 PID 3192 wrote to memory of 3984 3192 chrome.exe 113 PID 3192 wrote to memory of 3984 3192 chrome.exe 113 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 PID 3192 wrote to memory of 4120 3192 chrome.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-08_6f3096e341608d237df9a34cdf621865_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d02⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaf82cab58,0x7ffaf82cab68,0x7ffaf82cab783⤵PID:2716
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1920,i,8381150213767024907,4277240651699781536,131072 /prefetch:23⤵PID:1676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1920,i,8381150213767024907,4277240651699781536,131072 /prefetch:83⤵PID:3984
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2068 --field-trial-handle=1920,i,8381150213767024907,4277240651699781536,131072 /prefetch:83⤵PID:4120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1920,i,8381150213767024907,4277240651699781536,131072 /prefetch:13⤵PID:1988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1920,i,8381150213767024907,4277240651699781536,131072 /prefetch:13⤵PID:4408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4396 --field-trial-handle=1920,i,8381150213767024907,4277240651699781536,131072 /prefetch:13⤵PID:3820
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=1920,i,8381150213767024907,4277240651699781536,131072 /prefetch:83⤵PID:4836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=1920,i,8381150213767024907,4277240651699781536,131072 /prefetch:83⤵PID:4012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4200 --field-trial-handle=1920,i,8381150213767024907,4277240651699781536,131072 /prefetch:83⤵PID:5532
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1920,i,8381150213767024907,4277240651699781536,131072 /prefetch:83⤵PID:5704
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5836 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5908
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6004 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:6092
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1920,i,8381150213767024907,4277240651699781536,131072 /prefetch:83⤵PID:6028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1868 --field-trial-handle=1920,i,8381150213767024907,4277240651699781536,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4632
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3904
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4984
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3320
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1484
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2064
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3444
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5056
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1556
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:5060
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4336
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1836
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4356
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:712
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1440
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:508
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1432
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4976
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3360
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3516
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3304 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5496
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5b6fb1e44ccefac634bb22fab9da95309
SHA180e35a1953a0e102088b236541989d325cc338d1
SHA256a5bc1b35ca6962cefd36bca1e844a8693a9f4f2875e7ca98803ff9621322a4aa
SHA51286a20de3344602cb8f35d355b91c2c0b96d93d20e2105e293997c36f0192e03cd37ea2a164ea28d78850a90860bfed173404b7673a51e570844a2105a79575ec
-
Filesize
797KB
MD537cde3022fca97f4908e2dc3d709e6eb
SHA18f783af26569d228cd7687419de956a485988f2a
SHA2568d9b3fb3fc4417b1a801995a3f1daf0c2ab14aa584ba20cc0a11e7f825bef98c
SHA51275c7bf20c50cdc83907891b437095a309448b762bbd1452d9adb9a339a99284a6349b4d28daf62a5a11af85c187d87535168e4208f92e884f77b74f534602796
-
Filesize
1.1MB
MD523e702c162cecc673b2ed5a3840d6896
SHA12de93229c7e300e0e7bf3649a49d9ef4847db5c5
SHA256f80f2116156a562d8be450e47b91072924fa74e4b8733a02c0fa742439c8c034
SHA5129f4cf4fdf4d86cbd578e40a5567821cf93c883c85b173720eb2252cbe5203b97a1a64b7054655089803b7d51e833a07ceee7b3aaa68f0483db6e329d26fb8970
-
Filesize
1.5MB
MD5c3b59a4cdbda7c127177379caf54c86f
SHA156a0c6e55d3d370edf6baab80035742f76f68e91
SHA256e01c14e14e94117d30c4be20cfbc984d27bf7b2bb7e68f7b6854f63912e80c4a
SHA512c6e3490e87812cb83db3bc8a2797a92890b90ec466e3c57b7e6fe58b3ce89a75da9f8a76e4ad08b0e66b44301a806d5a3ee60acb6ceee9572ad9afe74a5bc634
-
Filesize
1.2MB
MD5e765446df6117f8a4b67a09e012e01d5
SHA1faee98bad35cd2907ecff483d6332f236654539b
SHA25623c11470b16c60ad68d95c186ee04cec8f95f8c251258d3268f841d0e75e8172
SHA512243b407506677708a670fa1045f2975adb9acf41d2d721d1b92725907607e2f561848274d7e6177a9b5a428b804d7b6390b85840320dd649be0fc723a66ae435
-
Filesize
582KB
MD50745a12d642e13dd1874cdf5c8265032
SHA1859502d10983fdb4b752e4dca7b2d5be9bd9943a
SHA2562597dc5085b5453dd526d0906412c310c969df36d6ace49de0c71f37d3ff7c14
SHA512407a4dcaa3e20527ee0895556e877ad2cfacec39b7d84a8efbca7f41ad29ccfdfe6f9ef28f58619b765f74c65c2f6b84bae4454f581b10cfc031c41bc5502e79
-
Filesize
840KB
MD52df61fc71c929b68272f0ab580d9f75f
SHA1279ca3a5e93499539d1213ee952e923e6de108c2
SHA256875f9417e92b59697ffa37d2c167e7bddcf18ac46c24bfd0c7718fe8ac8dd0a7
SHA51222de636f911f89659448043fd9968eeb8f6b56e68f9e324adb0375426ea8347eeb372526e84a14e9c94f59094cd4c3aca0f41f2cb442ab8f4b0551f9967f15b2
-
Filesize
4.6MB
MD5b55586a70c54caac8ccc1465ae4110d9
SHA196f80dc909056881b8af012c355beb962cf4848a
SHA25686e139f7ca184b8b1cf920ec64a6396efadeb18b01f32ee192fd6e626bb0a3d8
SHA5129a051179cac0bbab1d3d221b5d4095da2959fd9d4f99066df21d2e16b103d4a5298d59c988313618ee1eb6bed44fdec717062bb5ad3669901dd72347c4039269
-
Filesize
910KB
MD51f13d7e211fd65b910e8d417696e0602
SHA15cda95322dc79c67d2f8c769d0e1dc46f407786b
SHA256ce8faa97353387a64449e5b0cb74ed9bc35044d60140bfbc85815711b395e767
SHA512a8e669de3f3b1ea63b221b8629653064d0de3f7e1426f3a7976eda5c0b4e70ffdc38ed4019c6ba6b7be0decb82e4c2b9ef6f3f97a24cef6b8d0150cef6e389f1
-
Filesize
24.0MB
MD5b531facf2347cba6cc6491856b4997ba
SHA1fa73b143b9486f8b88104acff3c3e56a73ce3194
SHA2563acb676b5c8cf830ca6c934c8b0d731dc73400fd27a0c1ad7ced257e925c0d32
SHA512857d836b3da5d18a94f4eed389492135f1a2f0002a0542a415dc11894f3d9203a1905b3690c1eb6d9ff6a7120383b775c19fe59ca59bf7b47b6a2f481230849a
-
Filesize
2.7MB
MD59b33e432120d9238d4e1aecbf614b9a1
SHA11d70cc51aeb8186777b18a06b597f9cfea2f1374
SHA2561b05842ef7222f97539980efcd07418df7ef1d8f915daeb986b4fc96e0e800e2
SHA512d5789d9ad3037ee8190d8bd7aa70d5bd2997ab39e8dde53b304df64efe5f123f87c8c5f033a99307241e5c6a0614cc136b81453f1c39ebdda608adf30323e871
-
Filesize
1.1MB
MD5c9b7edbe8639774afe06ae6e78c6f0c8
SHA16e2b19c3fab90678481880895d5c6bc7d3a7aec5
SHA2569cd4613c1d96da77ccc3f47095f4134527e15c2016a8e27fbbc0d310bce79096
SHA512c097d5507a70355234c431c306e22d8461f3950e9b392a01d85fa8bbb83c27c3d79cc8c1e7a024c7fb374dce68e6a00a6c398502c712c163661b07039ff4ce05
-
Filesize
805KB
MD59f7e2535ab6cdf31ca8e54e282d0b499
SHA1e11a8d9c06fee891994dc8ca22c080e5d77bff3d
SHA25613ccf6265215c3d216707b9d825d647c57ec3c40e44c46cd2815746919490891
SHA5123515fc53ac9a50ab5ae675dd2ffd22ab5b6440493b346d507eafceb92994611311cf52a66f1153a3e9e6bf0fad9e50f0a6734d34457310a4771e346e6b46984f
-
Filesize
656KB
MD59f40880b359fc4a300d3fd7378d031ee
SHA1dbb6046ffc43874790afb2ea4c1a6569ddb96da8
SHA256e9002c64e0c4632c88851204d4ecdca5e44a2745402eecf385ffa5a47c0f4c50
SHA5125be7fe655f1c52b63a0e68f8a258ff4dc06b639bd7fbc69285020d4fc6cec55be5be8520cd002f34be6fb80d67abdfdaf59c908c94da2abdd841d371fabf49a5
-
Filesize
5.4MB
MD5ca464786463ab27dc9003a7ccb43a218
SHA187a0dec67fed4dd6f2f9a538fac5729f54f60921
SHA2563ec01ea016b9431f38a27b6a3b9b44d73e782dc81e4478eeb9f5932578e2c550
SHA51286ed03c546b9252a14f23ca60a4340b582fab49643c89f214ed20e94ac131e42d1b92df68e523cfee065ba9c620cd5ca6e161540d22800042cc3399916dbbac6
-
Filesize
2.0MB
MD53994f728fa0c8b0f271397c6895a9d9e
SHA1d01c1a4b93cb9d553ed5ab91ad5ae6bf6e7558e9
SHA256bb3b1c4719bb0c6782a4d1a57260563bde96e421d80e2a4fea7294ea92451b36
SHA51271186d6df021eddd13611d46f93d730040f5523ef1194b5ce016f258d2ba732983cc170bdbc91a9ea9049f5e80bdd2e5208f442cbc5fea459e3f62942d9cc55e
-
Filesize
2.2MB
MD51bc7a58a84170516539d5ec7939dc670
SHA1c79ee403d9b350cfa6c7fd97dbba2d9a31d7928b
SHA256c8a63d78a5db9266707bc9c2966ab3076308dcb5923268c7362f43af2c8af704
SHA512b2d38a9144bfd12b1c78782a64f0628530502754582482ba8ab3cb19c1537d37d33f458be833d94dade70a1e0b36e0bcd08538ca2b627a1f5f507f99cbdc569c
-
Filesize
1.5MB
MD5c697aa5eccc51026a528e1bb7aeba004
SHA1cd4c8ddd8909a9c059b64bcbe22c85d8f400c056
SHA256df74710eb9bd94b3113f47a2fb17c0bc0466c958ca38ae1729d92bc173340ab4
SHA512371f3f5d9cd175885c562c7b3fcff541bfb7e409687be24fcb318ad5832c2be3e95cb25bca453a38c9411d366c899529b540d7ecd5f4986f9b8d4f5d10b2591a
-
Filesize
701KB
MD5f1e0773882cd5c452c9bff8f3fc21cdf
SHA1b6f0c40ed4729f43ce638ae7dc9ea3bfdd251a1e
SHA25616e0014bc718c33d6aec36de8b3bbe39b66119d0cb7d4f43614c30fedfff3c59
SHA51267ccd2caead999e76239624de180b9e9d0aaddb44ddf2f324d7bd6ee378dddea2448325c6294988c89139dc70a2ac7935fb52e35343230c5642240c7a2e042fb
-
Filesize
40B
MD5d0df793c4e281659228b2837846ace2d
SHA1ece0a5b1581f86b175ccbc7822483448ec728077
SHA2564e5ceefae11a45c397cde5c6b725c18d8c63d80d2ce851fa94df1644169eafc9
SHA512400a81d676e5c1e8e64655536b23dbae0a0dd47dc1e87e202e065903396e6a106770cec238093d748b9c71b5859edf097ffff2e088b5b79d6a449754140a52ad
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD56533bceb7a429a5adf553a613dc9271b
SHA1102b43e44ace7f8d52ef5c652e2b93cba74aec28
SHA256e47e513153626e2b003a8812755ed17ca27f2b736802a28d85fae931b3d8c7b4
SHA5126b12098bdba113c6119d9554a4f38d2fd30080f8c7379cd8f8bf01c5114ac8891942e9171620e4244c9aa7f518364947b30b846964e7c86efb9ce7eab076f9c7
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD5ea3e4e2bbd7167f1eba9d16da5593fe7
SHA1058a077bdab962cb21679555e8ec6ce344353965
SHA25671e07172096716007ee115715320ea82a261e6a8ad7e828cc23a8d9098635a7e
SHA5120538cc0ab1cdacf73c7349bf392777824515b9036a8d62b85a12e5cef6d52a1906eadbe11498f28605da8af8ea53d14a9b39905da0e8fc123ec616bb64aa6ede
-
Filesize
5KB
MD56b5563b16d44474e9d20fe9258d3e831
SHA13f747e0d4d56e3d186146196c1816f7142e5005e
SHA2569707fff3c8ee88ece53329f9f5cdc099fd1ea9a954ff5daee1f2ade215d8783d
SHA5127752db3eb1041e33fe7e34c15110206db6b358bad95102477b86744223bd5981c504f37c3b4118ce30978f7d8f86da9cd0043749abec503fb15555e4dabd5dbb
-
Filesize
2KB
MD51d0245a0816fd932b1963600bab98460
SHA182d188a3a5fd107ed83000e16e41e0d67eed941b
SHA256b9d8f68c1f5aeadb1748f8efa21c33a4235cca822bfdf19951d296b2f29944f6
SHA512febc999100ab08b73d52fa2a08f7c09cf2281c420762d121150da6cecc922372a9591619163881a5d2956cc20a7bd6d1b5017b6f0575b55ca6baeeaa604632f6
-
Filesize
16KB
MD5944ea219b3abe2998b1c87819ceefa87
SHA1005dd48ab797db6c39d41a157468a11277bfe039
SHA2566d43177ca2624c127387f8643e06ddc5c60ff2801fd18a4e185f80e3fcf2264a
SHA51246378dc57059123fea133819da50618c7e9ebba831ee33b480b067dcc0df3f84497d56c6f7035ed11214e1b0f929203235729f85f0b1acea115890b21f023aeb
-
Filesize
263KB
MD5474f9a376af6a71a46e4ed7d84175b7a
SHA145f9f56efc58533687b1f0d206e8ad1cfecd6221
SHA256e399097cdd7a64261de1b29df45c474d47877dabc425f4f922c193892c3532e5
SHA512ff1e5ffbbc0a982805b45a64136f62e5b65a978adafb3b066785fdd1a80b8b33245ec91bbed52532fd189dd0cbb9b90f309c93253a2889cc0d28c0f9c196a82a
-
Filesize
7KB
MD5ba25db93b3cc9182bb21aba963cc20bf
SHA127651bd07cf5552c5e3c85a8a31c4af64e10a392
SHA25617866876b45eff0f5c80faaa5a57d29138a807e1f350a2e1742d075b7f9f1ea9
SHA512a98cbe3e0cffdf11a6aee5eae093259b1c2f0124b5c7e9b4577358d3ac56e12d28c68feab9701ac683f4c73798856a1a747db0eee9dd755e2d125c2258e03296
-
Filesize
9KB
MD5266a5c466af5d1cc255caa355ad5bf0d
SHA1eabcf5642ce084a85eb3b862c9b498c704ac8433
SHA256e740829187d9ff05e0c0147a6d20a6018352bfb99abf8dc67e59b81acd538995
SHA5128f5acf6b32f3e320a59a29f4b6375cfc73745cd0d2f84f9ac8a7e61ac8d42f3c7c05d80a2a3e2ff9a644b6032bf8b939ba02e7c500c0368f2eb5b7204fa5f603
-
Filesize
12KB
MD5f2ee6255d0c8ae5fe8352c6723b8eff2
SHA1110ef86aa7a5ae841279304fc9a638710962e9eb
SHA2565f0e8a0bcddd2cd6db575fb2075145484261fe121c47c1579129c194bb78cba8
SHA51261aa8ed740470e70add342aeb178d9c729a664afe5234415ba21fb28a3c969a9305c572d8dd5803f4ca629356e17dab7f8cd48b3b31b97df3ee229699ff0bb9a
-
Filesize
588KB
MD5a1577dcc20dd3b2eac23458fd118daef
SHA165d0c617d137499f963c385727870d286ba85cd9
SHA2562183cfc25385b220107f5f374305fbd7061b7e890935d589cdd12c6b7725dd5e
SHA5121a2c1b5eb8cf8668b15f66ba18573c06561dfb87068d391b8153e19bdbe4fd46d68300effca8e79a5836c121989d717dfd96a43885da96e6fed665abaa389a2f
-
Filesize
1.7MB
MD572638299dbf8279b54242ccf809ae6ce
SHA1c83bf33a4f8d498b63236b657055a2a6abbe4c88
SHA2567865e215b536621c826de26fb9cbfc998d1211081cbe8e96adddf32ac28b243b
SHA5123f62e80b1da1556384871e91daa94f1a35482e253d57f0715f2e9edda9ae7ea14bf22846836f847cccd33c47087a4c0be3659927de1c5bdb62369436445cad1d
-
Filesize
659KB
MD553166778ca8a64eb809d6ae780dab76e
SHA1725e5df3043841347eb5ed5aac915a113a4800ac
SHA256b9514b0a982e4852214bdd3cfdbc9bb7b5667660b2276fe1f423057f89e34c3a
SHA512639c71080a4f876710e1dc22eb91d128a2cc756d8143547ec4a0cce608bb8cba5e80b63fad7a0e99c15c5b95e172ee92f3ec4ac1f9bf9e6bddc12594dc862bf1
-
Filesize
1.2MB
MD5f6d8293b6a453976f0d5b140bdc169ed
SHA1cb3743c6fba166104adddedfcaeb48a453c7ea88
SHA256e0a427decfd2c4061182a7c73fdbcf32bc55a85d606606f99a6b2fb83b5fdb83
SHA5125a476b5a7d46e962a5e439657ee0d6dd6f6543711d6e21ac064f1d1426c8bd4576831a24d1b69752d066daae3822345cd21da8747e5bde115d540e1d6cdacb15
-
Filesize
578KB
MD59ff94072cd707c78d3233af578d4e358
SHA18134931b8656d9e5fa79c5ac7ce9273e511955b8
SHA25696d52c70477796e619893edde6a6876f56e6d3d3ce369543d0e7190f3c1eba87
SHA5122c5800c058fa28e038a6f920c820ca07a7fb4420fc266865ac61c7867282bb45eda92e0fee2f93d0f805bfb132d49652412cd13bf98c23cb3dcba5ccee9001ad
-
Filesize
940KB
MD51faabe4d517dcaa1726bb6e9a657fcce
SHA1d5874905e6bc253b3cdae1a634ba3aa222e30f18
SHA256d70121d36bb0f5dd72a12e2493eb2f2be4a9e0e3ae2cb49cc5723312af225824
SHA512518577f2bc66013b2df49ed28cd087af2722532e57a5799f76ff84df4a0752c0b03b3c106c7c569cb0e92857ab9c0039ca7bb42d9fa64bdfa4b561131243b547
-
Filesize
671KB
MD5fdb7f5d17f26e57fb8ce9bc774a263bf
SHA148fdc6999ac62e8c813605a8c15f4d9ccbffd5f3
SHA256363385083b5bead955ef61daa5ea73a2172756f8a3675d350af197fd7fc0b243
SHA5120dee49500ceaa8e37d5ebec84091c684f35b32c9bb8a066af82b949171369990ae70d1d230cfb3cf278b0e286798e4d00c8113c1f67b65e3b22cec119f141d94
-
Filesize
1.4MB
MD5565f85e192c628545a111fb6c39034cf
SHA139af13f4b8e399c8db530624b4aed37e15784ed3
SHA2566bfd28b9eaac6f13d043404e4265a180d447df4922bea42401eaabff5e0a3dce
SHA512061cc8bcc2d713cb41c6dec957c723c2ed1a7f671bde4d5dfa64e7b91e7de644434c00c49cc106398ae2abbd8676dffb9c71b408858dc8cfc04327718865549b
-
Filesize
1.8MB
MD5ee63809f29a6aa6069d323bf8838388f
SHA15e5f91fe7d8831d3681b4ff1589b93498769790c
SHA2561ef3fd49d15c991b5ab5da161d60f150ed62b7133ec61f5328e95cb9dd6ca4b4
SHA512a5b0265a058933d660a9a54fdf673315801c0fe863d43c2011f74e428e9f7e952dc83b8f46ace7482bc40bb5f102844905d28efd6d18480e729bd1ffaaee590e
-
Filesize
1.4MB
MD50337c46fdb1b7a5fa063259bad45b776
SHA189d47797540bad4dda13ea933cba60b2213d2e46
SHA256488258159be5878cef226777f1db51390ff6768efd8055fa44e0210663229711
SHA5125aa141001515fbc322a9df4d5507938dddfe9d0f5d34c788e195077b04b55ecb82d7eeb042cc091563052729da308a5ab07e9953a49f779a0e9021088fcc8e6b
-
Filesize
885KB
MD574e9475bb53482c44762672809ddc45c
SHA14ba29053c29c891d9975be7eb0a160f1d76d5848
SHA256fbb76c24a4f91b1b08897b7ad51285079ab11f9e13c3cb8f1174ba4e4d3b8bea
SHA5126d4c79260f59b279c9924f36ff81f7f94222543fb025f0f607c56f1226016ab2b9f8676057fea45ffc4f368fb37767e220dd06659181c804a8b6c15bd919339b
-
Filesize
2.0MB
MD5923a4102e302e2075891a88052ef3148
SHA1ce53e9d2391f5c766e8774fa81720bd1be25ca43
SHA2567bdf4bce5cdb81b75f0f8e4e61b0079d81e492baf41702f14c7159aacc96318a
SHA51243cedb05a3dee47ddc0882db3e5c604b5b2f7880b1fa0c1ecdfd4e138931cd12844b3ea3942169a3c652bdabecf94e7e3571243bf6965414f7bc45efa6c2df8a
-
Filesize
661KB
MD5771ac77fee4bdeabccc96d366dee8d8a
SHA1039338ba186283f6a040867a0fbaaf0c379e31e2
SHA25623c6a572565cd26829e1743390b20d247a1855ca91ec55872f7f5ae230be4afa
SHA5125de25d7df9640132986b784c6d3a288834cff08996fcc2b621f8bf021c86a35653330313744975291236eecc8ac2645b43d8b96bf1069a7b55c5f7e4978bd23c
-
Filesize
712KB
MD52facc456c395c5674cd64044810b4ddb
SHA102bc27bf695ca2fc4a309436006c49ff35e3947f
SHA256a9f62b19ac34724898501c1805fccae7bc4a58e1cb3c51a1d20078c7ac316b7e
SHA512c2c4372eb10b0d78756cf355dbf903e33d39c4dcd0c232938cbbb67d074e00f2cdf85814dae8ebeb4fad4cd061028a123245c3ad867dbff7c78acc9358e3c9b6
-
Filesize
584KB
MD59db0540fef2fcc216232fdbf4d769f75
SHA16a434bb83c5e9a2c5a46ba995fe93521f1d4a9d1
SHA25640c7491adf82ae65e41598526b23866b729356c7e7770ab533051a64148a4f13
SHA512d3ff516463e7211f0bf5261572fa87f9eef8602c46860668b862271aa880f64c562053fdac5e3abeb6a11d169e3c81348cd67c98e3e602faa160ff283925b47a
-
Filesize
1.3MB
MD585c1e52481dae1cd73e391e82e99955e
SHA125ad5b03d3bd2600e20cec8e2279dfd2850b1063
SHA2563d0e0ba93f381603f052582f733ab93b89008738e4b811ed983db7e02fce14cb
SHA512ee13449e6af948da1eb1f86893739f848ec26dfad961691c16693e1b131179cfa53dd0b593251abd486726ea364f4977f6d330ae3ac52c513855b56744d0c4e2
-
Filesize
772KB
MD550bd5447fa5403f903f61e779925b913
SHA13faaf7cc3255894b6866bcdd7c99a39bf6962c0e
SHA25605bfc3a3b6523daeb61568b5566baa05321f9b92e920acaf0b8f957465339ac7
SHA5125f5bee2d07a92e8b5b3f1f578aab44a1bf316355aec99dd2a135168359812ff5fb4fa38cc6e36bebaaaaef7358d11e79c7ef4cdb76ab45f0773a3f63b2971955
-
Filesize
2.1MB
MD5ac4d2eec23de48ffd570a9165dea8d4d
SHA1dda5b585ce116d1174bea47284f2322c47aba40e
SHA2566ba5a2a194d5a8e01311f3d54c8e7027af30970179d28a22e5bd553229cfc226
SHA5122680cbd10e913a1cc0097694e4fe0437982cdd2b9660074e818d257244ab64da116166d77951344ba96d4f5d0d689a32b47e985ec825a303a486a15954a3575a
-
Filesize
40B
MD5dd7a044bb22136e85285d21163fdef66
SHA11fcea0d904998de1bdea9cfa654a50c20b3dcc5b
SHA256b918a44d48859b4ed705a9a7a23d4a816a368aa2161ad495a7a6d1c6992b61a0
SHA51267afbad0468b8d5b405186c63a0960f5fcda15b2ab73767c292863e221265758001b2e110a3296f5d2ba1463863d556a535850a65a107344ade40a79c33bf358
-
Filesize
1.3MB
MD5c2ee80b3e0e8a6919b43775b8987d02c
SHA1b8c25053968003edebfee798eb7048cd1a8a9234
SHA25645d6261dfee53c8ffc5b805c34973b7845ddfb434ce8695da8a7575160713e46
SHA512bd15b03d894df74e66109c8d2af94f8fc60389459c0bbb219ebb53c998877860c3d328b72388ff25327b3dabca41653f03822ab5c84a03815dffaf1934594e58
-
Filesize
877KB
MD557d1c0ac7dea8875c9ba2c95b085f161
SHA16ae230461ae4aa2ac2b5fe8d1d9780bb79c07997
SHA25620022de57695fb7df54ac00e6a07e6b0e3e94625040b73f5947c7e28440bb16a
SHA512969501216a2c2ebf088bdc1aeb1cf9a14c7fff9eb54a896654d99212fa9c75c6408dcd5fa67da5e7987538c5deb182f056ba613111f3bfc5198a12b625ecded2
-
Filesize
635KB
MD5f3ab0d611d302190275999e11c3bded5
SHA10257cd6d8261057f6096017ccda369297e936f73
SHA256c54d347679dae6b2bd6a8470dc40d5f4d1158527383f44ef4a6855b36850426b
SHA51227fa9429b62c4e9841d31fa2fbb9dac68b1ae967b1d13f84574e418dab241323f056483d60134c4ee300d9341b9f459eeec9fcf5b6167b86748f8926d35e8e2b