Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 17:47
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe
-
Size
5.5MB
-
MD5
2a5cc09797f9a012e13c23ad75169860
-
SHA1
e85fe0ab66cadeaf5e2d7d8b26cb22d95b2bd1f5
-
SHA256
9cd0775071f6fbec6d846f0fffca9bc4b9de8044b4d7f4c1850b4ffed345c61f
-
SHA512
9d69fb17fb6c28c7e08e341685ce9112334435951dc23fc94203feeee91a59d707de7fb023d5205ff28dee323bd43a1ebec82c344c7948392ff511d56cd571d1
-
SSDEEP
98304:PAI5pAdVJn9tbnR1VgBVm6YjQHiqPtXBeIM:PAsCh7XY1YjVqPdBeI
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 4964 alg.exe 2384 DiagnosticsHub.StandardCollector.Service.exe 2536 fxssvc.exe 3528 elevation_service.exe 3504 elevation_service.exe 2432 maintenanceservice.exe 3496 msdtc.exe 2856 OSE.EXE 4168 PerceptionSimulationService.exe 2968 perfhost.exe 3296 locator.exe 2684 SensorDataService.exe 676 snmptrap.exe 1192 spectrum.exe 804 ssh-agent.exe 4544 TieringEngineService.exe 632 AgentService.exe 1040 vds.exe 5056 vssvc.exe 3000 wbengine.exe 2700 WmiApSrv.exe 1144 SearchIndexer.exe 6076 chrmstp.exe 3904 chrmstp.exe 2272 chrmstp.exe 5352 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\52259bfb293b476c.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c5edd7c27bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086a4317e27bcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4ea7f7e27bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4042d7d27bcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca908e7e27bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a6ace7c27bcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a4de57c27bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fadbd07c27bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000240a2c7f27bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626016728539738" chrome.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000469cee7c27bcda01 SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 1704 chrome.exe 1704 chrome.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 4808 chrome.exe 4808 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1704 chrome.exe 1704 chrome.exe 1704 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1736 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe Token: SeTakeOwnershipPrivilege 2708 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe Token: SeAuditPrivilege 2536 fxssvc.exe Token: SeRestorePrivilege 4544 TieringEngineService.exe Token: SeManageVolumePrivilege 4544 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 632 AgentService.exe Token: SeBackupPrivilege 5056 vssvc.exe Token: SeRestorePrivilege 5056 vssvc.exe Token: SeAuditPrivilege 5056 vssvc.exe Token: SeBackupPrivilege 3000 wbengine.exe Token: SeRestorePrivilege 3000 wbengine.exe Token: SeSecurityPrivilege 3000 wbengine.exe Token: 33 1144 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1144 SearchIndexer.exe Token: SeShutdownPrivilege 1704 chrome.exe Token: SeCreatePagefilePrivilege 1704 chrome.exe Token: SeShutdownPrivilege 1704 chrome.exe Token: SeCreatePagefilePrivilege 1704 chrome.exe Token: SeShutdownPrivilege 1704 chrome.exe Token: SeCreatePagefilePrivilege 1704 chrome.exe Token: SeShutdownPrivilege 1704 chrome.exe Token: SeCreatePagefilePrivilege 1704 chrome.exe Token: SeShutdownPrivilege 1704 chrome.exe Token: SeCreatePagefilePrivilege 1704 chrome.exe Token: SeShutdownPrivilege 1704 chrome.exe Token: SeCreatePagefilePrivilege 1704 chrome.exe Token: SeShutdownPrivilege 1704 chrome.exe Token: SeCreatePagefilePrivilege 1704 chrome.exe Token: SeShutdownPrivilege 1704 chrome.exe Token: SeCreatePagefilePrivilege 1704 chrome.exe Token: SeShutdownPrivilege 1704 chrome.exe Token: SeCreatePagefilePrivilege 1704 chrome.exe Token: SeShutdownPrivilege 1704 chrome.exe Token: SeCreatePagefilePrivilege 1704 chrome.exe Token: SeShutdownPrivilege 1704 chrome.exe Token: SeCreatePagefilePrivilege 1704 chrome.exe Token: SeShutdownPrivilege 1704 chrome.exe Token: SeCreatePagefilePrivilege 1704 chrome.exe Token: SeShutdownPrivilege 1704 chrome.exe Token: SeCreatePagefilePrivilege 1704 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1704 chrome.exe 1704 chrome.exe 1704 chrome.exe 2272 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1736 wrote to memory of 2708 1736 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 82 PID 1736 wrote to memory of 2708 1736 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 82 PID 1736 wrote to memory of 1704 1736 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 83 PID 1736 wrote to memory of 1704 1736 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe 83 PID 1704 wrote to memory of 4468 1704 chrome.exe 84 PID 1704 wrote to memory of 4468 1704 chrome.exe 84 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 2584 1704 chrome.exe 112 PID 1704 wrote to memory of 3740 1704 chrome.exe 113 PID 1704 wrote to memory of 3740 1704 chrome.exe 113 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 PID 1704 wrote to memory of 312 1704 chrome.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2d8,0x2a4,0x2dc,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb610fab58,0x7ffb610fab68,0x7ffb610fab783⤵PID:4468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1924,i,10891759352711051076,5296715924390367985,131072 /prefetch:23⤵PID:2584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1924,i,10891759352711051076,5296715924390367985,131072 /prefetch:83⤵PID:3740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2164 --field-trial-handle=1924,i,10891759352711051076,5296715924390367985,131072 /prefetch:83⤵PID:312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1924,i,10891759352711051076,5296715924390367985,131072 /prefetch:13⤵PID:228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1924,i,10891759352711051076,5296715924390367985,131072 /prefetch:13⤵PID:1548
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4260 --field-trial-handle=1924,i,10891759352711051076,5296715924390367985,131072 /prefetch:13⤵PID:5428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1924,i,10891759352711051076,5296715924390367985,131072 /prefetch:83⤵PID:5956
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:6076 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:3904
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2272 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5352
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1924,i,10891759352711051076,5296715924390367985,131072 /prefetch:83⤵PID:6092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2396 --field-trial-handle=1924,i,10891759352711051076,5296715924390367985,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4808
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4964
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2384
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4652
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3528
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3504
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2432
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3496
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2856
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4168
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2968
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3296
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2684
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:676
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1192
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3112
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:632
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1040
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2700
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1144 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5244
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5280
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD599cb16a41b855728357a3dc78217850e
SHA12e963dd741f7bda972d60c4bfe9b5cf9135f2a5d
SHA25613a8a52cd49fbe0ffb0111ca180b246bc4b410bd246222a0538695d75ded10ce
SHA51234d9c1b8460ab4bc6419f793ea2e6ac43edaacff5ad61c31687a16ce4b41847606dfe4e07d3d625f786af4168194f605f14e3d2eb3cb5d1123a4f06b0bd5fb3c
-
Filesize
797KB
MD518fde8ce707cf4b79fb00825fa6dc70b
SHA1385dd0f2480c3a1c6783fb6d643318f95b4e4658
SHA2564aafc649f34aaf84eba8ec69625816bf24d48487de1ab3c7fd58a1a4aa182a3c
SHA512db03061875d70ef7948bd520a266be578b722fd3da24c43b3e64e482e4a29bf1d46270e217477197ece3fdef2142a24d045d647f2464346dd0b7061481e4fe02
-
Filesize
1.1MB
MD59b1bb3fb0e7211ce44e9d2e53b9c9bef
SHA18643becb837b13ff84a3e0e3dbae66e1984b3656
SHA25636ec926b2043ca0202218c1dc7a0369a5ff737ed888dffb421f7dbdcecb15eaf
SHA512653d5cd9def47bca6e0458dcc728ac8aa2b2854f4377f339788dbfe18e6326e0c5ee0c002e8cc86073e2be931da5eeb4a1eebf77097daa6e4eb914ad8ffb62f5
-
Filesize
1.5MB
MD533a58acec54d4f35f3d8adb70f31fb96
SHA1e58511c22ecba04316a024d6c4e054357814718e
SHA256ad8c9051d0260e493340b20b9692224ab0787b34cb0cb50f6dafdd9f6782afc7
SHA512a0ae8bae82e753106b962820104c92e16a7777ed4d69224ba293deab7c74c2468865387d4374ec530d3f8e16f91b6b36d4881fafcc66c4cf4d64e0c342c7c740
-
Filesize
1.2MB
MD543db0a62b7fc5903794ac41173e0deba
SHA14a925e73ccf0ab713fbdee2b43fc9e98d92b0938
SHA2564d656e059c35f7d1b78563f6671efb207dc41c49f8d4f487d0f3f3a153952e4a
SHA512a95d6d26a1cfaf83fa2ef51f45dc35e83cee1bf39b6fac5881c4b1093bc4f769374be40fdcc615746650863b4afefdc8df0d18982448306c378d16dacbb82e4b
-
Filesize
582KB
MD53132a81ed1708677d61d0f26050ea9b5
SHA180cb01e33bed9db3b0d13e93b1f642e4451e4fb9
SHA256363f419697f1d86bc26adbc8e6081d5e4eb9c9c062657345825e7bad105a3f98
SHA512c138057563f7e69cd559ab05fd609dd3938ae6ef669328d6f91eeae771c386d5eefdfe5fec102cc1dd4f74e0e4576220a10ac7818702db4998569b030375ad8b
-
Filesize
840KB
MD520506dce7fa6b072e98a36df7f659c89
SHA18be435f14266a2b6311c71ed84779fdb5555865c
SHA256617e4ab13057747f9fba2f6b6ac7e6dc46d20f9943c036490e325fc6d03e3f01
SHA5123d255a47ec4307c1675db66c324e52fea54e41150d340f727ab349ac7732f73548ca1a46c0fb7056d792138da4ce5e7e1932f17740138c5fe76e0755bb4e5cd0
-
Filesize
4.6MB
MD5447548fe0df99795d906e09012d32bd4
SHA1ea77dac1428b234f540dedb7baf3f5ed2175e699
SHA2566b2f05b40449caec6286ec8d6a6a9d3c80edd63e60badacaa2207fe8572f7f36
SHA5129612fab765605aa59a6beaabd32a2cb384aa846fd22e5d315388d6f19f1b1fdfdc16aa44d9684ad3db0d90958ebed28b7520bc5cea8c7149441de9a179508b3c
-
Filesize
910KB
MD555e2b03c191cd83bf015892640a1807a
SHA16c790df2dac1d602849b1eb59ed2504327b314bc
SHA256aed890925cb2f1312b4b421cfab525c9f19131ae58a7883dc263e414fdac459a
SHA512cbacd4aa604ea7fa176e4f836f792f4ff2095bbdc9a25ee870e71b676d0a796a1fc7794c335e51fdc2345abf57148694c10900ba5f781416c057bc35fb99a90d
-
Filesize
24.0MB
MD5278ceb0aad38bce03b6fd7260b686806
SHA16129472e1e3006ffb657457175d1f5604bf5d974
SHA2560037f8dded091b2e9cb26668d14a35e2fc3815ee13bae0ccc81046e07ac07e49
SHA512ac685b7d8b1d539f9981ff51d7ae7c703bb27dbf3936227cf001892baef3731d26707bacc8147445db518bb5d27e99d4b2908abc0f95cd1bf465b5edc6eaf36b
-
Filesize
2.7MB
MD59664e61ad18f725e565cb60e392511a2
SHA19459e4233f015af7c1844f0c54252a994ab2e3dc
SHA256a9bc5eef7bda34d6e88f830e59ce915270f58c085e5bcf073bee165b2d94a1c4
SHA5122f584c5896bc140704268b17cc9c3e99cd1113d95ba9a61b206da196e4eb2b0412630276d3facbab5bacd1881c9c94826d1d00ec7ef2523509281c1105edc8da
-
Filesize
1.1MB
MD5c90c5336a667f8e9f47dbb26f770c11c
SHA16658c72557624b66cd24cfda2800296b3650616a
SHA2562cbb37b2b4356286bd78af38afdcad97ea942370838110caf426038c35dfba78
SHA512350e729df28ad40b1505afeb22126b2c10f4e90abe13fc540a04f78f39ba3300220ca1f7a85bcaf0366aba571c534589ea55768a71888e5a779ae08252c96867
-
Filesize
805KB
MD54a25df9aff7b7dfa62078ee451b259fc
SHA168ca8136bc6c27d6f48f05cf45ba9657a9e88239
SHA2568d7d1a44ebb1f890106ef635940cc48b857f1c87d2f76d22a5a2b0bdf573bd03
SHA512ca8ec75fccdb660c90fecb2dc74b7c2150dded4ee5e13ea113c0dd45ca5248aa3641fa236343695527ebc2233878d06b14848eddd56f21184bbe0fb8ce29d258
-
Filesize
656KB
MD5b2bf7d28b1dd3f833bf3c64113ae1002
SHA1f34e7956790b3fc79ffd6bab0418fa9a7066ca55
SHA2560b3ef63decc81d2189a608b6f6f75e02b0dd0f4d5bf553cd373aced9c4cb5b61
SHA51298fbfbe1430e473e586981fbd7e45c381a4756a7d5ba425d281c2aa0a2887eb749ce3268bae7132b9aa0ba487937e86298d3e95620b49392663c255bd3cec2fa
-
Filesize
5.4MB
MD50d20031bc284d27a61994c4ab9657bce
SHA1bb8c9b31be0bfcc39e6f72f9724a9b6d3ce9c269
SHA25672c8104e8f9c459fe3407bb58ec8ac18f12ca8cee0d213a85d768c91104fe8ec
SHA5120203d9868ab86c05051484e12ac274a295cf3b2a79dcdae5be2bacb47ae639e413f6dea5555c64ead12748be77833380a530860f523c9a7e00f112083144bad9
-
Filesize
5.4MB
MD5e212554ab3a4f6b4bf7028c67f36901c
SHA1adb251ea01ab49dcc36ed3616041e83a5edaeaba
SHA25615279adb52dcab86f774f25df72bccbb902457d7a7da91975128a40e5619419d
SHA512d0d745a3f227c91152c2718d071b6505dd0d73f6ace0efbab1c209d5dba5a052bd201911f7fe65a8d75a0f94b9e1ad351e9c1b4d70fce3bf54ff01488ce05c4c
-
Filesize
2.0MB
MD577662d782095e95c4c5a5bc8e17837f6
SHA16032446cbb2503b62858caf249a3095bb5b2114f
SHA2564553cb06d0fb4c688c65a86ade8272354621bdf61c4bf8a349bd08af8989367f
SHA51218cb84a7c95437727241ead18b3f3c2ee624a472e151f861c57e961328035a55526472091ab062a00cee43ac8ec85fc752c91f1732e806d6f217b088b7a6e4f1
-
Filesize
2.2MB
MD514f08faddcf14f85f2bf0ccff504291b
SHA19c153b80c1e8aa8f050d2ba94ce4944b9fb4b30f
SHA256c2df660dc9b7d196f6828280765851e42c86af1365e9a480c7576b054e85b6b4
SHA5124388c15c2cd55ac30a67b25a1222eb15dcc066271992da0d32e509200947e6936869f51f8e56d9864146e1dc41421326a4d32ea7df3225b2316ad5556dfece58
-
Filesize
1.8MB
MD58d61ec4576eb38ed7f4a70b0dbd75ecf
SHA1d631a10572d198ef6c7256048998550761ab8cc6
SHA256896dae6a06306f6f97c10025e8ced9db06a19c1ec0cb452d876790e1a8e7e114
SHA5123dbc03685b085c2774f6aa771f2e86079d684b8e5eb89a9971649d3332a8b9b4886f7a557f19af307fc763581f971a146810e571fd4f0ab4bac6ffc9aa04234a
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD58f3958962e5f342ea1d64b21cd371252
SHA1daa04bf21a5495f38b4c31c890ce3784ee7202cb
SHA256ecde3599c09ccfc4d83efffc2d4b58bf5a4fa4859b804ecf2754b82c9059e605
SHA5123bfd38fa31f08fd600dd5d18f515e1b538c703a84fca35d386f6527009a2a29bd3007d057a6d58ef69d12b8c53524d25c082238ef61ba5009d244a681a277d80
-
Filesize
701KB
MD5451dcc16c5ca65353f3887458a956ede
SHA1c178f493a52843ed3cfe83837756d31bfac036fa
SHA2565b4c4213253655c117689e6a2f4d0d473a1ab0402a8d6fc0a2479cfbe371e05a
SHA5127a9aeaf269f662aa9334080a444434c1de94f0731f9b335a535e9b47f72e3cc3286c88658ef19c736a75cd1e0fa6ce49105e4ab338b12abf968835a351170169
-
Filesize
40B
MD523e6ef5a90e33c22bae14f76f2684f3a
SHA177c72b67f257c2dde499789fd62a0dc0503f3f21
SHA25662d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790
SHA51223be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
5KB
MD5bf7b4dd1534e9b2888fadbbe91ea50a0
SHA14cc9d8872c53a77ee4d242a56c02420c4eb3fedf
SHA25668f0b6f7b8789c81f267b3528b1ca9ba9ca89746387c2c04a6810a27e2331b1a
SHA512075a6e5ca1b26d2cb3b6cff5f4755bc6905f4cda59fa2d6a8a65724e7ec8303933f965af5f8df76a4aa8d806eecaaa8b26a56c1a836112ddaf40b85760a8458a
-
Filesize
5KB
MD591c902d3231cfc26efd84a0645999c11
SHA10eb9c426760704825edac2ef7bc8a2f7deff5e7c
SHA256e4a2f7e291666f996a6800617149f5b1b807c8574ab2de33240395e94da16e8a
SHA512c41f1dfa0568cbb9838e0503a58a89cbe0e2ab33178e406dc693201becd0b6767b8081662c8d0bd41c5b086e1179a4b55a0679de541a864d0ccb8cce4db975c0
-
Filesize
5KB
MD57651ccb0efe36b5bbdb43f74a2f10df9
SHA154adcd06803c8705b82ee44834c07b8879621fe2
SHA2564596f4c632ef7c396c0583bbe4220ba02b73ca9925897ce15eefac45833290a5
SHA5122cda9bcc41ffe7e01c1225c45bcb230a0df6dad25dae968aef63e238d176c6acdcf736377d416f56f3cd83448c143680dabaac3becd4469b08146920e3a5ca8d
-
Filesize
2KB
MD58441fa327ce1f6c12f371a1535e655be
SHA17ccca62179f1eb9a2d47c3886ad8ad4bf5b15071
SHA256975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158
SHA512986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4
-
Filesize
255KB
MD5ce7832f88abb8904d69bd8c28b44daf7
SHA121e17488466b0c28dbde0df2ecd7ea0c75f77182
SHA256ce1fa25a7278f8b37b44fe99591a8988e4bc314d6f4be2d33d5dbd9e18632e01
SHA512f8f7363957cb180d276f604f3fb82653bb226ccef1e3aad55503dc0a02fb46b9d8893468011f58c0661ad2768789a39da7be88ca6cbcf118fe0941bb4a45fc0f
-
Filesize
7KB
MD57c386932bf76a8805dab23fefb4cd330
SHA12eedc28e69ab8ae5b9a6ef76c87446585d4ba37f
SHA2566bc25b13f5ebc01309e30eecafb14f1a1f5f654c5a5a3a3ba1f61f6d90a4c62f
SHA5121bc17278cc4785903b2567058ee49f7e8187f429d8273643c169f94d7ab8bbde2e8094535605ebb414b6bfaa96097d5188cb15137dee3b690f14a12f896fe8d8
-
Filesize
8KB
MD5a0858d1fcaf057a1f21f631fab440888
SHA15d458fa4adcbb6e6221f2eef82760c9089bdf6a1
SHA2569ee9831138cff821d0139ab616056ef2ca0919751a201f0434263a49e683ffd8
SHA5125bbe531d7ce33d4c203df2da7ab6ee0e762011863b83f3925d4d9b83fdc06a69d474f1fc31073fb711e96b184810deab22f9aa22d49f295ef4b5b23a549ade45
-
Filesize
12KB
MD5a70ab9ea6c80e5dc0d313ebe6b177fde
SHA1722b1e28b9c0b5e76e4ab15971268f684ab8af81
SHA2561dc3226745a47db1a3073f606516661ab9afe58878ab2930fd077f38ad4aa55d
SHA5128b7fdfce2651f2e603f166dda3f15c43d8c411463434af3821579971a96259daab26eec6d823ac1266981e741026744a29e172ac6c58bee93a204ffcbe1ffb45
-
Filesize
588KB
MD56f279d3f0fef3e9b2821f0fbb18c7870
SHA108f3cb4c1391306bd372cc51ada359049db75d6c
SHA2562c02c7b9b547dca79aa52b9f11e940a7758c44f67a599cf90666395c3b66f657
SHA5125d18175dbb82bc7f477459fe6b29dec24987ba1f5f49c5f6ff7024ff2d09207c32e0219a5d8ff5045919fe91d605ff46f36ff3aceef3e2e00985133eff673646
-
Filesize
1.7MB
MD5a3e86925bb19f44dce87d05d7ebe2db3
SHA174fd3523b5a912888a644b4c922cf624c9df7df5
SHA256c2138fd7d0f1984518faf5e5dd807314fa9e8fe8b5d11d14b061121a4f97a61a
SHA51221cea0f96e177906a5e8eca8049f9016136418c7f46fe02397d962c8c6398418ee7143bde4831b2cdcee580e169fcec7a7cc816454f92d1c053b5505bdc93f99
-
Filesize
659KB
MD58c678845537656b517d567df1abb2acf
SHA1c18e733aa0f45202fdea4f417252a306d37eace7
SHA256a1efc59a712edfd703dee61b163ad8080012ee2d0a87704f773b207c1f2ffc49
SHA512ddce9c19627db37d5bf1ded1f71c710462f976eec923dd016dc9dd694eb4d84df4736fe3b5b56eb0473cef1d7408d73edfa5477b79a2ea9c419d8546ff6b5012
-
Filesize
1.2MB
MD500e09eab6a0321fd68855b17dfff645e
SHA1eefb7b251314a6dc35210f273ea71f02db8c7290
SHA2568cf32bf0c949f6e37d940e5adbe7be9226edfbdd8af69e362ff2d2353f606cb6
SHA512bf8beee886e86649127f994e58db9a45fb57cc451cc23bc9b7c1b6db1ede5981096ead62dece8e4003164c24a2186296bdb62a6d8068f1a8a1097ec760d14820
-
Filesize
578KB
MD54fe84edecab7f14831bdef3a0b37310f
SHA1f7fb3507fc8f6dd5ec5b3c922c1e07afd70d1ac4
SHA2562bc61df526550f3cfc92daa9ba8189d733a20078d2156c50e96208229d9b4b8f
SHA5126e987340afbbfb76c7336c917e1b2f66b1e75c4794775369c6661311ba57848c74cf41cde29d54719f3bb77f65b84873b6638a5638a65e9637a843388e9d80c1
-
Filesize
940KB
MD51b5896bac59cc05a69b1e696471aa95a
SHA11a96b2c0a4805c3d994371d7b545c90b315a7802
SHA2567b5a86cb5bdcbf816cd39160c0888233589bdbc4494b2823e5630e31c74f4323
SHA51233239c11e5660fb5579caf63b53c820652a0aa514d407c1f66fa14f2f2376e9b37b0466c9951188c7416e0d892ec9739fe6ffc0b6b846e53081a17f879cc020d
-
Filesize
671KB
MD5e8463160fe60aa93a492f88f0143af69
SHA115191ac74561281c0fc7f22d723f8fe4e0314cc1
SHA256e75914964bcfa051793f6acd03c99ede469ce4523bae7a0916caecd0d29097e6
SHA51205e786c46efc14720d3feee59e10f9ab77327140d301a415186b1521005fbaf8d3f0b8f42ebb278f85a67eeeeefee8cc2f1f1d65788fd92095f71e33e40a44fe
-
Filesize
1.4MB
MD5e997b9116a2114988956c8cc90d0dbeb
SHA155a36014d8b48cfbe20a399b2b4a473017076ec4
SHA2568c4b70fbb4708b2989325502990132a1515ed9412f075c6e8a6b9c34b7617182
SHA51237e279c29e918b5d653d18516f4c3c349d3ddcfd9dc3e37d78c247a4c34e03d96c98c6365e2696a87164dc1d12c4ecb31a6d48c6d529d0716a55a925ee6511da
-
Filesize
1.8MB
MD5534cf97518f13821ed708baece25859f
SHA167142e3bf5dd21e91441722f34e47e29682f5ef5
SHA2560d19c820e2b2e7bdc856244b662be588ee21b81ddfadc44b5d216a37b74afc63
SHA512c1a90713f9a7fcaa3493ebedd50e19bcbcc1d5117412d5287356011b0ea9c4c50801cdfd9d7cc030fa1d4c332f8a533a02d30534a0270aafb1ac63629f656f39
-
Filesize
1.4MB
MD5d75206112211e5cc729392f4549513e7
SHA12ec1e11e7291ee45357999728e1d7f2906e25143
SHA256be88983f48632024b38a18f8716a5e03fc4ad0da23bf15c95db1fe576178aa78
SHA512f1e7ee62e28730cb8b704fa6423ba3826a234a1bc6af71f7551f79bcacc7d0fff357069fb01b1b0f5841c24c867e0ae83bf782e039009ad42b6179e5eb61e0cc
-
Filesize
885KB
MD52010abfe7b41e604de16336864a1d169
SHA1237cf50cbd50f358dd966b8f2d8043bf43ab4943
SHA256619913eb7eab02b338e0e51ff5fb28461b31349d48b76fbbe4f66741d3b47d83
SHA51230382cd3af1d8e6ce5d21b30083a78d11699bf13608ecb5e23f74d4187fe4a816c0d7fdc06945547c86259cec6991a6bc8d2c39c9494a1faf36d127a0cf8810a
-
Filesize
2.0MB
MD56d0402ff07cdcc280469bba25d20645e
SHA1b29050996b49852fc0e9a43375194411e47138ef
SHA256444788d7bd00d3b675db1d7f7b2e0eeb700aafb3e62d2c15ff6a15e03e5bdfa2
SHA51263d6e76529ac3ce59d16cf15e9cffe6ee9ad260704063aca4b6ed96a9be3142234fb293620c0597436328c75a27476f312ec57bcc833eabc15fa40e415b0c6dd
-
Filesize
661KB
MD52c5e8f9bcb6f8e1ac8dcbc1b416af496
SHA182d51b644b27d1f50e07b8d1acbbeba41040784e
SHA2567b5cac6e61f684214c8b1ac60173ef32372c4df9dbb70794fd2e7757b1cf3136
SHA512cf188e2894ac5db00a779ce416772f8928ad61d67e683d6138bcd66adae98b4e013b2a4721a8e20d5aa1f85b2becee8e525010decfff497ee552980851919ea9
-
Filesize
712KB
MD5ff50851c16b6349271f5911aa6f4d3b7
SHA17dd0ec208cb76397bd4ca769a5187107ec0a5b31
SHA2569369c446074be63e53bb05d823fccbc026c7d2cee48ccfc6d22e2f3bbfb9e64c
SHA5127523abd6b3a41d328ea9488032ebcc22c1ff1d719b7739c4d68cadcd41c441c210261d77b9770d9a9c5be03e4efd5c7bc42d9d232bfb1f6b34bf85b7db8bac32
-
Filesize
584KB
MD5601b94b1cbdbd8efa4d96274dca5d723
SHA1cf05b272de950124029653f7f36f479ec0bf7093
SHA256238fb27fafd4c0af37a19194432e4658acfa5c615a3f3b3cbe71548c4ff7bb2a
SHA5127128a19140b453f4c114b68a2740be1928ed99d23a6d525f17a3ca5f4f1729ebb75cbe748af933937933490d604ec95251be7453f18297ca81ba8bc3addee7b9
-
Filesize
1.3MB
MD5928206e0a963424064f3398ae8237d28
SHA19a36b1021c6bae92979ce75678d1b8a18f67f7d2
SHA2567ddee036893c54c69567aecc8136acef65caba3374b7502dbfaff766db734410
SHA5129348f97684245328f7234bdf2ab973263256e01f9b88f6f1e4460221ee1956daeb6269fdcf0cd1bf8c4a9d14f58c24610e24638e411a6b38c97f64fcc048593d
-
Filesize
772KB
MD5565faa4c46cf85b848c2e080b9bb9b3b
SHA14ce2407fb10c6dd5d7d127a1a83ee70c20e782be
SHA256bd19f7d1a45712cece8669b2439cbf5701944a0d078a1ccd050d4030066c7491
SHA51281525937a70cb72c91ea969530d71bfae5e9bbe10ab6d424eb50f642834683d548bd5bcc6d2828bd7bb168c0b13512246c751178f456fa306d1d3a9336cb8261
-
Filesize
2.1MB
MD57e36cac3234fc5deb208236c77a5a92d
SHA1423f33c8721b1e8ac3567b901c75f756405a24dd
SHA256f971bcfec60d8145ee67d1bb19a4a8fa080b5297437f7da32844486f97477e3a
SHA5122e475010b5ec1aee3e7103ab7ef768d3c77a102104cece14e707a85458ec65910c2597d47a8fe2fb54d0841b9c352c9a50edacfb81eac5e86229aae7be3a447b
-
Filesize
40B
MD5440112092893b01f78caecd30d754c2c
SHA1f91512acaa9b371b541b1d6cd789dff5f6501dd3
SHA256fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6
SHA512194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea
-
Filesize
1.3MB
MD5da2c59a3398b7ff2f4cc50c0ddc1af09
SHA11f20bcb8ba8f0ced92659e891055891ee9b8a093
SHA256ff1d26424110861060485fa6454bc6b296a3f0b37e8c21d35820ecf7d40dfe00
SHA512bc86834ceb7729c0243b44eff3e024607933cc13914cf8028c4a1633873b9621c00b09b7f14abac414b22464aa48734393841b12415d5ebee301db6f5d229e8b
-
Filesize
877KB
MD5249cde7a34a6233194481b00107da656
SHA1ce1089091e65e0cfa8faaae9d6b491ca536ec850
SHA256515915e05717ca1b89807f1a0531267a08d6362cc0d6a91c2b22bdd37f5d45f1
SHA512d87f326e8e4e02c1f125bbe17564b8e6adcf331b6063c87b960795d4adb44238e1d0c5ceb3e987d61bc0205dda117b420a54cb75b626d732f900d8726270043c
-
Filesize
635KB
MD5fafc0ee87d73043d03eb626f4850c042
SHA16d0a2c20c7c09df9047d840ea6404e7ef249fea3
SHA256917807be67d9bd8fe00ba614e00d13fb8415066f8e9489b6ad119dc11ca5bf16
SHA51269ecd77e03abd33dad84d4059c12e97c8e4a389de5c5cedae05fe64c4255349a9ac8c32786fd9bcef9207731b1df1af282fad8d7201cc80dfa1db787f3b03616