Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 17:53
Static task
static1
General
-
Target
2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe
-
Size
4.6MB
-
MD5
52e4353530e50e858c9995f56bca8a63
-
SHA1
eee94bcb8831365a10cd4224206d90d179e94888
-
SHA256
492b8ea0d4b4998b5fe24ca4645502bc24a85d2b6870f1f69ed31b3f536b757a
-
SHA512
6d9a9ca4aa1ce4481ff677f48fc31fe391b64ffa4bc2f12ba786bd977fb98514431fd0d6ea29e7db767e87f6cd5751a1b0dde89cce0800ede36c97728b9744b4
-
SSDEEP
49152:3ndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGQ:/2D8siFIIm3Gob5iEv69CEN6rV
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 5112 alg.exe 4124 DiagnosticsHub.StandardCollector.Service.exe 3784 fxssvc.exe 3704 elevation_service.exe 1484 elevation_service.exe 4320 maintenanceservice.exe 4932 msdtc.exe 1696 OSE.EXE 2892 PerceptionSimulationService.exe 2752 perfhost.exe 3820 locator.exe 1956 SensorDataService.exe 316 snmptrap.exe 4696 spectrum.exe 5048 ssh-agent.exe 4488 TieringEngineService.exe 2396 AgentService.exe 3344 vds.exe 3140 vssvc.exe 936 wbengine.exe 1392 WmiApSrv.exe 3284 SearchIndexer.exe 5976 chrmstp.exe 6076 chrmstp.exe 1808 chrmstp.exe 5176 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\f40f35e1b4b1389a.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd5fcb4828bcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000981634928bcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098b6784928bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022e00c4a28bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003fd0344928bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000683d424928bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000119a1f4928bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626020112232595" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000eb9234928bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009fd19e4828bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 3984 chrome.exe 3984 chrome.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 916 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 4124 DiagnosticsHub.StandardCollector.Service.exe 4124 DiagnosticsHub.StandardCollector.Service.exe 4124 DiagnosticsHub.StandardCollector.Service.exe 4124 DiagnosticsHub.StandardCollector.Service.exe 4124 DiagnosticsHub.StandardCollector.Service.exe 4124 DiagnosticsHub.StandardCollector.Service.exe 4124 DiagnosticsHub.StandardCollector.Service.exe 1656 chrome.exe 1656 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3984 chrome.exe 3984 chrome.exe 3984 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1500 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe Token: SeAuditPrivilege 3784 fxssvc.exe Token: SeShutdownPrivilege 3984 chrome.exe Token: SeCreatePagefilePrivilege 3984 chrome.exe Token: SeRestorePrivilege 4488 TieringEngineService.exe Token: SeManageVolumePrivilege 4488 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2396 AgentService.exe Token: SeShutdownPrivilege 3984 chrome.exe Token: SeCreatePagefilePrivilege 3984 chrome.exe Token: SeBackupPrivilege 3140 vssvc.exe Token: SeRestorePrivilege 3140 vssvc.exe Token: SeAuditPrivilege 3140 vssvc.exe Token: SeBackupPrivilege 936 wbengine.exe Token: SeRestorePrivilege 936 wbengine.exe Token: SeSecurityPrivilege 936 wbengine.exe Token: SeShutdownPrivilege 3984 chrome.exe Token: SeCreatePagefilePrivilege 3984 chrome.exe Token: 33 3284 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3284 SearchIndexer.exe Token: SeShutdownPrivilege 3984 chrome.exe Token: SeCreatePagefilePrivilege 3984 chrome.exe Token: SeShutdownPrivilege 3984 chrome.exe Token: SeCreatePagefilePrivilege 3984 chrome.exe Token: SeShutdownPrivilege 3984 chrome.exe Token: SeCreatePagefilePrivilege 3984 chrome.exe Token: SeShutdownPrivilege 3984 chrome.exe Token: SeCreatePagefilePrivilege 3984 chrome.exe Token: SeShutdownPrivilege 3984 chrome.exe Token: SeCreatePagefilePrivilege 3984 chrome.exe Token: SeShutdownPrivilege 3984 chrome.exe Token: SeCreatePagefilePrivilege 3984 chrome.exe Token: SeShutdownPrivilege 3984 chrome.exe Token: SeCreatePagefilePrivilege 3984 chrome.exe Token: SeShutdownPrivilege 3984 chrome.exe Token: SeCreatePagefilePrivilege 3984 chrome.exe Token: SeShutdownPrivilege 3984 chrome.exe Token: SeCreatePagefilePrivilege 3984 chrome.exe Token: SeShutdownPrivilege 3984 chrome.exe Token: SeCreatePagefilePrivilege 3984 chrome.exe Token: SeShutdownPrivilege 3984 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3984 chrome.exe 3984 chrome.exe 3984 chrome.exe 1808 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1500 wrote to memory of 916 1500 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 82 PID 1500 wrote to memory of 916 1500 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 82 PID 1500 wrote to memory of 3984 1500 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 84 PID 1500 wrote to memory of 3984 1500 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe 84 PID 3984 wrote to memory of 1632 3984 chrome.exe 85 PID 3984 wrote to memory of 1632 3984 chrome.exe 85 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 444 3984 chrome.exe 92 PID 3984 wrote to memory of 1944 3984 chrome.exe 93 PID 3984 wrote to memory of 1944 3984 chrome.exe 93 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 PID 3984 wrote to memory of 4044 3984 chrome.exe 94 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x1403796b8,0x1403796c4,0x1403796d02⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcce3bab58,0x7ffcce3bab68,0x7ffcce3bab783⤵PID:1632
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1924,i,15950119622387277657,4681866059924635909,131072 /prefetch:23⤵PID:444
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1924,i,15950119622387277657,4681866059924635909,131072 /prefetch:83⤵PID:1944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2124 --field-trial-handle=1924,i,15950119622387277657,4681866059924635909,131072 /prefetch:83⤵PID:4044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1924,i,15950119622387277657,4681866059924635909,131072 /prefetch:13⤵PID:884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1924,i,15950119622387277657,4681866059924635909,131072 /prefetch:13⤵PID:3408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4352 --field-trial-handle=1924,i,15950119622387277657,4681866059924635909,131072 /prefetch:13⤵PID:1640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1924,i,15950119622387277657,4681866059924635909,131072 /prefetch:83⤵PID:5840
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5976 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:6076
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1808 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5176
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1924,i,15950119622387277657,4681866059924635909,131072 /prefetch:83⤵PID:5424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1924,i,15950119622387277657,4681866059924635909,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1656
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:5112
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4124
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1860
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3784
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3704
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1484
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4320
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4932
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1696
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2892
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2752
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3820
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1956
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:316
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4696
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5048
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:932
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4488
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3344
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3140
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:936
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1392
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3284 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5556
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:5636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD56734a17e167825fa165d1a7ebae2336b
SHA1eb39c8b4e63572bd22fa3f2c7dc354d8877f2aa6
SHA25631b38a66cd4c00c0331d68f367e3ef648d7f9e5126d8245f987d50134892c423
SHA51250fa93516ebf51e94123917ac001854bcb6098978f697da3221d4053d0f8ae18e482f8a9af47b49fb36cebba1b0f6407cb1879db8ee7d56793fc808e4aabed34
-
Filesize
797KB
MD533668d6d7289f0b958c3ebf98c928664
SHA18b02777cc1292e0d582d2fb6d98dc98ea346155c
SHA256c5e78157b1c2e199865245447a39a24189a94302d538ed1ef922914539f98acc
SHA512816996a88a85a65bf3571723abeeb4c5f3833baa5dc700a7ecba01215f196df84132005dc46228b5fe7c5fb38cd539a1c53954958b43cb82fb1f75b3d430b2ad
-
Filesize
1.1MB
MD5a6d434f0019c2252f39452a85be69fa9
SHA1b8da4f8826b2a2987d05ea8ec9afcc8bcc39cabe
SHA25655760096ff9002d694d2811c499078cb5e766dac3f4dd100ffd650472ccd19e3
SHA5127c16d3048c5ac322ffa5d0c34e67bb86a3a42daabea506c78231424e171b3eac0bd214ad80aaa0d6ed5910370c9c98a362751b80955dbc2c564dba7bbc8715bf
-
Filesize
1.5MB
MD50e1a0fc13db68c3b5961b46b66b9ff3c
SHA155f40eeb7b025983fa9dc4eb7c8dd5336e87c6c0
SHA256717eff1365d5c1c4d04161ccceb7ef17e1f643775864ae5fd5e81b7549776456
SHA51293a018ac2347fe46c3aa7e7afaa910f3f93e2e3b37aef2fc530722552174839fd5cc87c2008b0a6e78456e3ef1f0c492bdc81c86505cf97e5107350fed979118
-
Filesize
1.2MB
MD50f4897a1446f1399f8e2625fa48cc8b6
SHA13c0794d1ed42adf7d5087718bc315648f2d4648a
SHA2566e0524ffce465ab6abc41df2f0a4c8fd46492f9e597559a9344e5e27a5f92ce1
SHA5129e96ff6fee31daf48bc1beb2a9a36026433483e0ae03cc9b97f2e0735aa8ba2ef600fe3aa137023cf4d255f8d727ccffbaee47dd8c3d6eb74db9b1ff8f5519ff
-
Filesize
582KB
MD5db56340256ef9d9bc9f4b62d92a77b70
SHA1978fb46e8f5fb971db365d439c938f3bc1061a11
SHA256f88d948a640dade5ddbf285ecc7316a98053dc5f2bebc94b70134bd067045fca
SHA512bd1c559a073369676dfdea9a749ff1f509e5fe8cf3efd3bdbf3d152c7e6fdffb0436b744158b9f4b6038aa66af09528bce782941c1ac85e3d11e12f76962eed1
-
Filesize
840KB
MD5fadddc517f3eebe38bcbe2fa6abbe3be
SHA13db5455d67f750589535d8be770f88f8cb18475f
SHA256d9bc907765decb9ce88cf625dc748d8109322acedaf6d646960f97803b6f9e95
SHA5121fa160fd39de002a21b2399021bc5884839bf3deb215e7defa88b34a4bfa43e689b2d1be519d657c6bebe12be248c09a75e289eb2db9c16def7ffd1166a7ed29
-
Filesize
4.6MB
MD5d1027e1d48c6d6abbce78547708e3f75
SHA177be12b7df23b7af2d9fb6b44a22db4d890cd06d
SHA256962a113d92311d7b75488eecaf90ea506a8ff6ee210feca295e92859502d15a0
SHA51298a718c76e7935b64a00aae6edc2faa01cd22e579b56c62500a4d15453507efb49c08496a4e79217faec2855c67ab5d918b5395869683a839bcc5ec6c831cf45
-
Filesize
910KB
MD508042fb1717279394e8a68b78ef70c19
SHA1a777dcf1d008fdc0cebbb337dde5ebbac3e64f7c
SHA256aa6b88de488e9768f6ba11ec7d6b6c8b667817e6f92a84aa139da9550c0a231f
SHA5128e4b4111e34fc0531a91cab71247cffa1759f8fd5d6ffa56033a574d61bd6cff1266499ddd427e5213d2835576414b14705bd55c1a629d7a49811987d4b823aa
-
Filesize
24.0MB
MD5663f4827d0696d06ac6d0ca190d0fb28
SHA160d26b5e40bb5f81342750c8ee212fe653d3c789
SHA2569787e06f0ddbc37e0bd974b66550a7007c017eb67e9f3d882edd8b05bc998f9e
SHA512ef1d1565b9a2cdaee4f1167a0d1d1197270b5e10f020404ac539db18d760a0064ba174468e194f1c91a35361da7572554151de8e562ba73469d136254c1b9b0c
-
Filesize
2.7MB
MD5ae02c79c04e66c386b6d4025b1b18360
SHA127cf69a08ab06dd0c6c83237cd27c908069fab2b
SHA256399a3b30ff0c206bf51946fb9f0c20bee745dc60afcc27fa667328fc3b738f46
SHA5126547399fe4bf0a065b74c658eb72456f0a9eb07a6067c95f9e306800a05c9401d3f7c16ec4a2d466d0720aa60afd9a62d2d174f42e822baf7d94ec2006e697dc
-
Filesize
1.1MB
MD5cccff4de52ecd4906c036f17af118d19
SHA10d9ad92451d5e7700df21901954cf030c38a7a2d
SHA2563c350ab029f7183cbf3cdedcf556bc7f0d3a8609a2917247d3db73d8eea2ac40
SHA512fb84b2291755788c4edfabe9188112d4af5b73f661acbc15220935ce785dcc5338e9dd826058c3fe2ff39e7d062f3a0da47c21f2d7ecd70f2d6a26d6bc79376c
-
Filesize
805KB
MD5d229beff68ff55d562c9a3ec93a1f26e
SHA1e29b9d4cf433090a060c240fc8454e90b6ca3291
SHA2565783ffcca977c4ac853b44c2b3503151ba4a679aefd9d0a4e07292278707afc7
SHA5129e2ef6691320befe89c609ec528e4f77e147640f9772501f05038bf353ecd4f696058519a0e4ab98638b5737f0deaac2c30d98546d3a880a367ed744d2befbc4
-
Filesize
656KB
MD5b16b49426ba2cf1845762291d94e05e9
SHA17e57eebdcace3207371fc1ed0567ee8dd878210f
SHA256f77513efdf5844a5e932b9f2840af149491f7bf425ba7970bc3471a4d7868aee
SHA512488333f2214126608a685aae5e9e143c3bb3690e3bac612d3b7fd47d9d5862e476f44649fdebac57d0b86a7b9e46037c14e61d00e791993ae3654694d03d4ec3
-
Filesize
5.4MB
MD562daa4c678bf8f5c4a5d774c440cab65
SHA12b93445f60eb9424ef116599bc8ae1ccc7c40427
SHA256d5b20197f5d05740922e650858d700d50e64d6682db6ad38c949a4c20b99bf01
SHA512b4900f6f8ff00a7bfa5830f089ec2f392f198b81e0d764147dacf760e374977a5a1b8bcd3ce822594f1f84897795bddc522473b89295ee418a21626e176dd818
-
Filesize
5.4MB
MD5afe049b844ba148eaa0177d58afff889
SHA179d92e467a8dd2b0578be870dc78ab0005d9b92a
SHA256a7fc1944f04abf5bbb3af19de4afb9076b50f232985cc69a174490da62fecd45
SHA5127c41df98077491d0e885eb338e5f1f081fd1b8730649f336823ad6419be08a35a409697480aef2abeb3ad2913597a2c65914ec709144a73921f74be9f6ae4e28
-
Filesize
2.0MB
MD54344bf399dade09fde17cd83787be7ba
SHA1639007e802f70faaeb29487c39a5dfb73166249c
SHA256f0ec52a468b9e530c7742b3c9f8e4fbf4240193e5e1727269c0fe8eb1ad293f7
SHA512945503aeeb6b5e7c9751c7a5f188e28fe0326362df23d315e5489866d44d8ab91974e788522119bbd70a9b60eae49a58f5758ce261a6a218384c46f83f4dfa4a
-
Filesize
2.2MB
MD5c8c4c1d54531ee39170f2d7e61838f31
SHA14b86f0238523448a87916d3f788160f3b43d9d7e
SHA2569cd5024455cdd9b07aaedad7968455762c5bf9f98314e8ed6e437766848762e6
SHA512251b17afe4f00e5028bd461e4db349bcd00c1ee58a70f008e71d9068c030cbd6f7eb28c850080c882b0ff5c13adbc07adad924ba43b917b25efc8953dd6ce4f9
-
Filesize
1.8MB
MD50d7c5261a1d06739ae5d577328464d0a
SHA166b73529de91d792e63f16966330e8779ed27896
SHA25605541f7ce0878b174934f485f691bacac34b9379ff36c1fa696acd7eee93d9d4
SHA512b2cf21bb0c52c4223abfbdc0c60717dc1a945c336b1806099c3448060c07a762f710bdddaad9747662caaa6e438c3779e50f3f7c6bb82be2e0480939ab6e5987
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD523514bc794b1d5fda6282d6d997339ad
SHA1bf4270f89e79cbd87a19952b6def6be6000eb5c7
SHA256f824e0ae5c54bc0845b75d9a9046fcbb159f295c35a1d9de5b1d4c90836456e8
SHA51234aab06857c3bae38761e068e68a663a543dbf7913861b5569d2725a47ab7cbf3ba27eda0b75ccc7ef1cdc31480945c368478c5a43d1b0ffa160d2b25774fcb1
-
Filesize
701KB
MD5b4fb88bef3051440364465bcd687bf8f
SHA17d505571d6158ba43925ea9d7d767f408a993b7c
SHA256cdbfbca9c99539f91d292b1c8a43257c74850dc2852dd7ea3cb1775c5b8c85ef
SHA5129cd7284e931e843cfa07a649d9466ec7e86ca899c072e8bee5ea403eb29d43ab768a0ed794816d1804e5e8493d24664a437cc219ffba8d0547715cc7002712fd
-
Filesize
40B
MD52cd879c3b1b25f881f4b7ab71b67a095
SHA1e8c477526bb5bdddd659fdd44606060d83e703ad
SHA256d15ec0b42a1305238584533da0ddd5ec2959a76896cabc74599185af8af9e92a
SHA51295c25065ecb23b375e233d554beb9c5fb61d877f6b5586155d5b5931d270cedfd4508a8fde3dfee5073af2215b256d7cffde9f77923d41909d4168d9bc61123a
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
5KB
MD50ed6a1d9d4d4057c93f7d13b0d770c3c
SHA1dad40c6b03d538ae3ded406427d73ee5e95fc761
SHA25668bc824b1d7e5ad0bd7b1b7f8785d8a9564d49bcb25c54fd88e29f04c9279976
SHA512513bfd2b5fcabb4d8eb6e42e9c38678be2b0d1b52d1c8b3920c29ee80699da179f587debd9cfbf859d76faddcda01c3f5b883da1a39ce4d9c4aba7939d268731
-
Filesize
5KB
MD56e4e0ea2316f8a07d733382ac2fa682d
SHA150f6f7be1e3bed57cf02bb54c579a0689aaf1e69
SHA256b614ff2befc94a2f3445441ffc38c50c0cfda49fc9fefc0f1e0151ebeebb56b7
SHA512d32d2ed4437f6fe3f28527b2456476cb2a459d527a384d460f00ef4edc7e39b7366a9fff2055d2cb92c41f4b1f03eed70f4471c922af3ce537d0e5636da20e75
-
Filesize
2KB
MD51f497c78bb1cefe5fae1f2d3e5c467dc
SHA112ec3f79d43fc239252d3812f8f0c2edc492bc51
SHA256e7fedf1f3f9f65c94434b56a0a6b0be4a9773cb80c1fe09b6391adaec9849dbc
SHA512f7ce6b59abe22c099ba4ded438dae24ad228fad07f742fe053c580f2c052a91d5af99bc7616681f0f377f8b5bbbe7ae2defab99203bd1af816724a1e63b62e92
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e71cbb51-2b73-4abe-94be-2bd68d602990.tmp
Filesize5KB
MD5c5d8bab1dfb61e109e5966b5ed46a012
SHA1c9cc552e388dd6b598bcaf4cf8088f755400f86b
SHA2564375082e86faf6b143c1d73c607ccc9d5111342d97274c9d7b82492740664ed9
SHA51223fb1b6f32c9331d5903899f95b4b84180650cbd6c9528e2d766330d8acf1dfbd2fbbac946db9d0e4fd31a85efddc46d459aabf1743d0341420b64992bc18cab
-
Filesize
129KB
MD5a44abd1ee75e2a6eda24167a9fe9d1f7
SHA1d8a342750c8ea47b3f9a6d1cfc2fe42df2eb3e62
SHA256b9c595f4f4d2c46ce3c51c7c93ca300e356d58e7aa56924bc1800bb224a1db5c
SHA512b7d445ca468fdffa63dc999e3989c055162244a5b524d8ba30d31d3021a8fa62ae22507fd7e42d49d2d37a51618e9e67bd32ec9f7cc94d79bbd84bf41107cfc9
-
Filesize
7KB
MD50802dd7e7b1025b89202a2c10c05fdf0
SHA14e6ded2f991a27911dd67581e7a9dc3712a031f2
SHA256856ac18c55dfbd0823d22326f4253b36ca554da339eff81d67fbab48c6425e2c
SHA51264d05fb931c6208d0f1042b04100002ce53e9eb79b4d1c99b8e2f048eda1d8def29bd72a267fd1b57804dfb25bf4e88b20044c70e3acf429d160478dd0f405ea
-
Filesize
8KB
MD53dff96b360f5c4fe1a2a503bc973ac74
SHA19444353c3dd58a6e59b275edae2b753905b8c7fd
SHA2563584279260141595ddbda2967b56d723055cc9f9d72c28d497f956856118a323
SHA512342679f4a88089d12b88019ae93d93f755bd542220ce523e2440d3e8fcb8bf5af9ac1f8aa77123e2165864f3c865dc99bd22e7f5d7949a3b823b93a0615f0eaa
-
Filesize
12KB
MD5dcbac783ae89b309c13f011f7c5afb3d
SHA1752805b6b1226fe4113de96e99ffe503ad327e32
SHA2560a8f46b8855fa32d1c929557db9fe255dbc93a5885e129992876f9126df2f573
SHA512b26c0bfbace300c51b9b7834e04f9cd7fa123dde0f42320d1dc7669ed84e29b447ab82e8c39c7530b70ae5bc2cbbff396a9a718faeb5383096a8ebc3dc1658a5
-
Filesize
588KB
MD5cecda316e21f5bdc6da50ca356450347
SHA153b0c19ac4243119ab4e28884aa7662dc8d3cc93
SHA256962bdc010824299fb75ce08f169880e56b13469144c0b277769a83709239eca8
SHA512e1d122b1a042f0bc0a895f0c48ac9115f6e7aeac859803873dd53578d3d97dd4a87428a1cd2fd11d7b222ac1faf7041ee8e2fd4d130d1f85bc4b560c9f12867e
-
Filesize
1.7MB
MD5573af82494bc996d7bd347498377dc5e
SHA1f06689f7f148181ea4ce71a62360b8c36aa57841
SHA256bf4a964f48da3ab86ed6f014be17cbcf56f983bc8f7625889f19cc9940e99da1
SHA5126cfc03dec634aa8e004c7cc859a05ab2ee1f48871fe83fb2eba9ab65848281f0268f1496a5071e451a8a1cfceb7e9c52c8b1c7aee33366345435e4e5646038e6
-
Filesize
659KB
MD5b21de9965818177de0981e812f4dd64b
SHA1185b706811ea41b52edd538227ccf6c206f26f7e
SHA256e4ae48111542c8c92f2dbb16a6b45ad4540869285d91f4d70fa1291d8f476224
SHA5121b816a907e123eaddb1fdb742ba322009fd60f2b6c86141860cceb7f35fdbeb6e484ff217a8d32ffaa000d9b353a89d2b117b8554ca8c32cbd7cf1aee89b9d58
-
Filesize
1.2MB
MD51fc4d0bfdfe491cd1fb5e5efc1349e43
SHA1c03652111e99674bdd0064b0e88e5b007a4aa397
SHA25611c9e8cbd2d65134aee873a10580079788939e3206c5fea27780c59e1927d404
SHA512dc1fc6d539487c07aab0b066bf8b7d07e6b8d9b21072af2d813504f2c13694e2b45ebd94de697648bca87bcb461974306e635cc11daf36b1d851f1c2f2e02443
-
Filesize
578KB
MD5ee3a2e3c83fee1d43baf7abb2e555a2e
SHA146062ecb9c14e3ad465b591aa4f293ad17875e2d
SHA25615caa2889ba8f93baef12631b3d709212d4206cada4c7b304c979efc6eb8a9e7
SHA5129a15eeb5f7a2e081ad78b5c7e144b5dbdcd66e04688f773cf70f49de01f46d56ecc80d1f3de0b5f6c1e9bc7a8e927213be693785c15bd58c3bcbccb556e0ada7
-
Filesize
940KB
MD54d87333bea02a64ec0277ff8ee9b0068
SHA1792e0a8467ee453d3e3b8ba082eecdf7fe715a6b
SHA256b3dd198fd335a62cc71f454565040310724f15efe9a9f8b9ea9fdc09159d942b
SHA512b4ea4c00e67b7e9d95009ce12f0b7973517f9712a92bfa719b33902e09d9273810c224362b91159226548e6b90136e67a56d2da634a1edbeef92777bb792b0c5
-
Filesize
671KB
MD5dd54d4766594c9a48e3d53a3dbd0d5c2
SHA1268eb7e6cafbed4a296874b9d7010bda4010b6ee
SHA2562305f75f7f9b52c10367c249285fc3a165b64be8057c768bb70f3530eabc9d44
SHA51205a6cbd877ecdaa9ce6764c27578ba237390b2d2d59d99d1a1e0098068a05ce80b223eb0ec60c0603e9f580b4ab8fe0b9f78ffe05ed297d0253556ba89216974
-
Filesize
1.4MB
MD569f71b1b12f31b8d0e196f3eaec16b40
SHA187af90a4d52107a6306a6b257e9259e784fb18ff
SHA256377ecf11799222d9c1a13e2f550a891cc270c3ad9f54a44b17c67e9dbe96cb51
SHA5122f6f86001e721f8a58ea610ee7c751ae5dae913a12d7ae0d5b386ea096d2637df2265721ab6c598762dac6fbe1084cc13e479c6f419dc6ab0a7f894c6ba2bf19
-
Filesize
1.8MB
MD5d7a797cec5723f1e13da2cd3c23b6b24
SHA176b54ffaee051cdec865f983fb5b8b9e8a4d8c04
SHA256a8e8b187bba459aee1bda8dfd3bd1cc6246bf775ec09975711769257d09bad75
SHA5129b8f519ca34d9a81d5f91bafb7f3340698bb9b70c1f754e3c0fb38c60fdfe6a0eba4b5c552dcc7e86913d5efca54e41798f238ee50985b6798f0113ff42e3943
-
Filesize
1.4MB
MD5e5d49a03fc20c3c5d0155c360891f43b
SHA14ae0a8850dbaafa945be174264b5e545b1399c65
SHA2562b11fbfc4d72a7649d8f51d436c3c4d11de95f7a644456eb650b4e09567e1cbe
SHA512d1a2851924c29a2cb02fd2537f69620c3ea830086173c43c32cd0edebc60b6c0f8477b0d98094bbc044c208c475872f6887ad6b470102ba5e4b3d2bef810ea48
-
Filesize
885KB
MD53ead74b261c47a4e4fc005deeb6a162e
SHA177ddf4d7a2247c913fbb42ec0790b4226b7892b3
SHA256728dd25377fa02fb9c02a6a3f1f4c8e0cc68c85f2a54c1f4fc232dc546d82002
SHA5125e2e8258c8e742e77a0531f7d3c6aee8933e53a74385be6c760012bd8e66bdafab8758810e44178e84fa9dab8f347defd0172ec157eb61415e848e95373e35ae
-
Filesize
2.0MB
MD57522df3398b7a5cc1b1cd02c962713f0
SHA1311b19901a02e0b17bc9d6193000bd1e6ff6917c
SHA256d263a0e0610c5e0c46e2c7f6fda68ac528e1e75d971a212e90152eeb6d778002
SHA512e34b452e5d53c616b073cad4488cf766da64efafae94b7e9827e877340163ddf7571def854539cfdd5d7e95a302cbc367e6a0ff95d4819c85349543e5db567f0
-
Filesize
661KB
MD5b67371b474038b970b6b448bbcf65e5d
SHA101f0e9da55a1f48c475b968437eb1fef2242b0d0
SHA2562f50201dfcf9c1e3d363e6dcf76fd688732fdabca0b8e2629c1eaa20bcf33a3b
SHA51230711090b829b8dd180fbd3ab5ab79675cf626c1c40f3b0b458877fe9e704f03f7be3eb8689c1cc66d5ed48d161ee62fa9222e507855ab7d6b5ebb4956f6f41d
-
Filesize
712KB
MD548d99a72b1bd9c76d13a11f7851be138
SHA1d80a522d795dd71347c0c2a86202baf024aa4071
SHA256702c462407a37967bb245b29c8ba34b18066f8b9e6e4dedfb6794adaf747b0bd
SHA5125eeb7072b6a06864c8b55caa9a164ac9a511d81252b1a0c8cd1df5533890d6bdddc6f3db2036d43b8ce2ab6b67b6c479403607b06187d40e58cee33d9269ae1b
-
Filesize
584KB
MD51476fc6d278deae433833a457f491c6e
SHA19d9deb5cb0a71f382b3ae1f2594cd04f9c3417ac
SHA25685f9d38e29eba4164e9cc2c2cbc06690063db8f262c492db0bbf3b720bc20bdc
SHA512e67e30990823214a5d0fb0b59c3cab081393e9011c3469018d04aa8d94d081e0e4480ad07a026c1a5e4956582d84d60e290bcf6a6902b8680de6ff8b056fde9c
-
Filesize
1.3MB
MD53b679d43a3513496d3455231fd3b4f6d
SHA1289668faec21ca84ab9fdb4d7f981fdf1bd72a30
SHA256c675cba1e1f010c3b504fb6adbc06a8d6cf3d7d86b4c39608f30dd32ba46efcd
SHA512113ba25232eb73449950049ed5e79f56c7fb27b606739682285d95cfe806f46d9f1ff4d4a87c01b27b0b5dfea069ec471954086ac8a06226169320a1cd49599f
-
Filesize
772KB
MD5d0441480cda6d85b302d8a6c668a0778
SHA12957cd150e6c2b417b61417cf8fbd604b4387ee6
SHA2561ec715883cd130a55ff2c3c316980152588f93d37c9b0350f200e0836866811f
SHA512f4d76109f8cafa22c20e89af6fc026d92edd4a84c537b34edd45e148a0fca5d310f88f811d22115ef5a47305376876c60dfc917af649a51d86080defb42d228c
-
Filesize
2.1MB
MD56ea1da6ebb14748128ebb0044c266966
SHA17ab67f84d3b5fe01632662728425a40d68deeacc
SHA256d4ab770718cd8179ead43ab230ed7c1020ec45e487d427b4e1e30d4ed079a423
SHA512a5657acd7937c17ca9f61555705000c801f66e97ce75b6a0ea49e07061ec505568a39e29c763b60df00aea0c208ffef6f24841f390c3d12af8b163c1eae54c68
-
Filesize
40B
MD5b2c359ffd4bf582baf62f6e8adf87a6e
SHA18e9a26cf9202a00b2f38b9cf92a2cc0fa2e76b79
SHA256ee8fad0e09119ff89b6f13fc18df351e81b41199adfc10acbfeccbbb88e02a9d
SHA5121b1cddd7353d0e9300f1c661feda7f8d1a71e6d90279cb72c3adb51a7bce9c64e2fc87777926db50a8d41cc945445821d1b3cc1628f7446a7c03e64bcf8aff92
-
Filesize
1.3MB
MD57e6de9ced184fb696d36096af90c7c15
SHA1d6b30d958e2e3bbc5565ad9e66e83940bd2ef341
SHA256a73d68899ad7f6ae671cbc266ec2afb6b2d28ad8c723bdef41f4975e94208e74
SHA5124d93ce075066c49b8603bf96d3f00f4a32bc133ddbece9493c20f442f81171fa437d66de90043859cae40c98e37f508dac327ac9deb2028a43d0cac8afc09962
-
Filesize
877KB
MD579b84a38e74a95a927b53ddf93e44eaf
SHA106871d0f91b41240f730087e59297ae386ff87d9
SHA256c38dd4e518bfcefc947ace35ab3491b1140725cf587837c3f43f43fc0076e48b
SHA5122e54e06eb7b0670607b7fd1ebf03ab69ea42a63039e967f6a64bae8a49f06743e32b10dd321d51df63eb1bcc2610639eab1a19177535fb496fc142cbcdda05d0
-
Filesize
635KB
MD562c80873fb89bf998faa19a7487a0ed9
SHA1b65cfc76412c8cf2f48db82ca7769cd3a624a0c3
SHA2561f6a50fcf23cc1b91b39df4ffd3e33f86e664faeb791ae07f9ea34be5a8c3352
SHA51246bf4b311913c8f867bfe1adc520b5f41ef039f04d895633b1929868572ef264859c37f76c1706435d2aa96db44980b96e926bd3f656ef6679c4f60058c68bc4