Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 17:55
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe
Resource
win7-20240508-en
General
-
Target
2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe
-
Size
5.5MB
-
MD5
627b97044c2d938652e0891dde8c45a8
-
SHA1
f2b8f16dbc0dd9c17e51e8f4c002ae139f1009dd
-
SHA256
cde84805039c39317f95456dd499efc8a50f35518914126bf0a1898310402acf
-
SHA512
267ec5dfd4118613211bd6b2367658d150f2caebb1f316c2282e4c26f89ad8152ec8313044dea15285987cda15f0f9049555c4db7e086f48d998c95e8b6ed76e
-
SSDEEP
49152:YEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf+:2AI5pAdVJn9tbnR1VgBVmodt6N3u5H
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 2436 alg.exe 1096 elevation_service.exe 4256 elevation_service.exe 228 maintenanceservice.exe 3708 OSE.EXE 4452 chrmstp.exe 4428 chrmstp.exe 1752 chrmstp.exe 3900 chrmstp.exe 2076 DiagnosticsHub.StandardCollector.Service.exe 3180 fxssvc.exe 4100 msdtc.exe 1116 PerceptionSimulationService.exe 4156 perfhost.exe 1748 locator.exe 1820 SensorDataService.exe 4336 snmptrap.exe 3960 spectrum.exe 1128 ssh-agent.exe 2868 TieringEngineService.exe 4068 AgentService.exe 4176 vds.exe 1044 vssvc.exe 2112 wbengine.exe 416 WmiApSrv.exe 4588 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 26 IoCs
description ioc Process File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\656821d492be0f3e.bin alg.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaws.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088be90cc28bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626021589152119" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da1dd1cc28bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bbb388cd28bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000859ebcc28bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003176cbcd28bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de2093cc28bcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051f8aacc28bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000815267cd28bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 1948 chrome.exe 1948 chrome.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 2676 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 5728 chrome.exe 5728 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1948 chrome.exe 1948 chrome.exe 1948 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2976 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeDebugPrivilege 2436 alg.exe Token: SeDebugPrivilege 2436 alg.exe Token: SeDebugPrivilege 2436 alg.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe Token: SeShutdownPrivilege 1948 chrome.exe Token: SeCreatePagefilePrivilege 1948 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1948 chrome.exe 1948 chrome.exe 1948 chrome.exe 1752 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2976 wrote to memory of 2676 2976 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 81 PID 2976 wrote to memory of 2676 2976 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 81 PID 2976 wrote to memory of 1948 2976 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 83 PID 2976 wrote to memory of 1948 2976 2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe 83 PID 1948 wrote to memory of 4988 1948 chrome.exe 84 PID 1948 wrote to memory of 4988 1948 chrome.exe 84 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 728 1948 chrome.exe 89 PID 1948 wrote to memory of 4028 1948 chrome.exe 90 PID 1948 wrote to memory of 4028 1948 chrome.exe 90 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 PID 1948 wrote to memory of 4772 1948 chrome.exe 91 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-11_627b97044c2d938652e0891dde8c45a8_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2a0,0x2d8,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe7e45ab58,0x7ffe7e45ab68,0x7ffe7e45ab783⤵PID:4988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1924,i,9345017235050521608,9222843744245363014,131072 /prefetch:23⤵PID:728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1924,i,9345017235050521608,9222843744245363014,131072 /prefetch:83⤵PID:4028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2272 --field-trial-handle=1924,i,9345017235050521608,9222843744245363014,131072 /prefetch:83⤵PID:4772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1924,i,9345017235050521608,9222843744245363014,131072 /prefetch:13⤵PID:4368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1924,i,9345017235050521608,9222843744245363014,131072 /prefetch:13⤵PID:2284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4300 --field-trial-handle=1924,i,9345017235050521608,9222843744245363014,131072 /prefetch:13⤵PID:2948
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4472 --field-trial-handle=1924,i,9345017235050521608,9222843744245363014,131072 /prefetch:83⤵PID:4148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4480 --field-trial-handle=1924,i,9345017235050521608,9222843744245363014,131072 /prefetch:83⤵PID:3140
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4660 --field-trial-handle=1924,i,9345017235050521608,9222843744245363014,131072 /prefetch:83⤵PID:1932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1924,i,9345017235050521608,9222843744245363014,131072 /prefetch:83⤵PID:4044
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:4452 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:4428
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1752 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:3900
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1924,i,9345017235050521608,9222843744245363014,131072 /prefetch:83⤵PID:4076
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 --field-trial-handle=1924,i,9345017235050521608,9222843744245363014,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5728
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1096
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4256
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:228
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3708
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2076
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3704
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3180
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4100
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1116
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4156
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1748
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1820
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4336
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3960
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1128
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5116
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2868
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
PID:4068
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4176
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
PID:1044
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
PID:2112
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:416
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5452
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:5476
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5fdd2eec231c0fafe8f546f462d32c3d2
SHA1b630d7bb22fc809fd2f9530566e7a88b8eebe05a
SHA256ac9e4c2d72feb2965fe23944c6bffb3b5e741743fdb8b788a1e6b17de20a7680
SHA5122949a151a823deda38ab56f9605346212f4e495b9a245ba89afab1ba4a27fe6e6d00e60ab5e63107909bd92f5f7e02d9ae215521ac0d22027a8e17fd3668e304
-
Filesize
797KB
MD5ed4d11fbb123acc40a986b2a118d7dae
SHA1ab99e62fa9d32353dc4d72f71c85614dc1868a3d
SHA256f13ecb454646750fc73efb4fad41be98a3d5273404b6d945af67836cccfd11b0
SHA51260ecf925a3eadfeed4b7c9eb9af047f5781de8a41d93ec05f7b930568febcbbba126094e73c6091927ca5a7a55fe50034452f744ef748df6a0358cc63d39f19a
-
Filesize
1.1MB
MD513de736a0ba1b732f3e13543b5c398e7
SHA1d150dedf4cb9585580b15e4fd3a8e8f2efbf8d01
SHA25660b973084a84a1b67de2570b092fbc58de15615abe0799844be3f4c547a8ac46
SHA512a9112be7d260c2b7279cf2e38851a443b6961a45013e12b778ff426681758d2e37a9165abd8753a43cd31b546bc7f81f4031e2a0ba9c0be1819befea3bebae79
-
Filesize
1.5MB
MD5b3bbd2c4ac6c0272fe97d332ae2d9e59
SHA188503d5083d7da218cc8bab33b338e0e0ce1fa46
SHA256a0acd8074965a98ce8bb55e6735aa9245b3c06589edbf92997e2e2007ba41401
SHA512a8a451cd540df86beae4f95c94fc10bd3d3fcf6246530da9ccfa559e50dbe039a53f390c84b2134941861b07b49412c412e1ae596e72e2dfea655e831ceacb39
-
Filesize
1.2MB
MD5c10b040ba06d2031b089c0e94caa7d7d
SHA14c287267fe79fba96b3a2fe12e116647b2567260
SHA2568d1441e8bac6e1e818bdf9429d2be682c3ce9d83a2e4067a96419b4726d4e04b
SHA5121046ab356951ae2291d20581468684cbcbd9b317f5a48168540af6b4c5ff06efdf4d1eecb081808ecef34d4dde502e53f3438278027e672433a0ec40b55a2fee
-
Filesize
582KB
MD5244c7929a43e0f91fb2efa724606f2b7
SHA1055427d71bb4f7bc06a84eeacb3e56508d054623
SHA256f5bf454dcf5738ac5870ecc92f98fb92f07404c1c64b012085c8d153334c5e61
SHA512a86f36ec2efacbb588d4ab13384a674ccb0c10fefed6373fea28ed9f6487f425fdf556c0ce35be23910203a1bb94b23a3d8c09cef08268e38bf5642801da4995
-
Filesize
840KB
MD572442dd0b28d9f000877040929288882
SHA1768bb141e121f3f0e2a695a58fdf7eb0ee090078
SHA2569a38081928485ea3475df695e1f9f12a81152971de1450130fa92f02f9267b68
SHA512c2d5383c8984a2444cf6f8962484bac730fd00190ac20fb2f4b8854577747d6c37182b07131f158829714b7b83752f7f5d6e2eac7b7b3fab46227d88c708e281
-
Filesize
4.6MB
MD5c3d125d5b4a0f920904921a30204fc02
SHA1f26056c0182438d3225b33746b8f20d663616c54
SHA25620b7785e986195c673e093682e73eb3d62ddbc6ae94621f838fab99f73c960fa
SHA512aeb38b0958f558f587741da6faa37043c617c58f42f8f621d2e72f9944d24880bc0457664a3784249e335a2a2013e9d78f7b61014d4a83e1c3b358b82ae65220
-
Filesize
910KB
MD517df8ff5d81d0124c4e50dd2e173b13b
SHA1bf61db7299b79ed1661e9df5ce5d5a972d8d8501
SHA256d07d79e9266528a908bbe846ea3a5be00fb94a90e220e89e05e6650b51866c19
SHA51214b456a69e21300230d8d46ba4c329b94334a9997bfb424f1543359c90267189521132d31b4bc01f2b61bd9b70b18e7efe5f92e6f6207a396414d23d8edf35c3
-
Filesize
24.0MB
MD5145d1c31b9bf1542b2d81d24c3cb096b
SHA1aaec3a95ddeaf8504d8fbb0c47994af478fc4707
SHA2568b3d3241851fa85a6c79dafe198ce0f452e1b4c4fe9f816252873578cfd40b9e
SHA512f7138d0e0b5831b3a18b4239344603b30ad080c12cf094fd8992969f895d379404b64a3d0dd8f11a082432b8742f7917c31b146255012d9b1f3f1090cd91c897
-
Filesize
2.7MB
MD57eaf5dd6eb07db0090d2d0922c4ac736
SHA14b23037bfdc91585bca821ddb0ce451c565a1f9e
SHA256ddc6ebffcb8bec3d708ffb47de8b80f76fd4a6e5c0ddcd4750f7b120ef3ac39d
SHA51270da4925dc4966331a4a5074ec936f6bcff9ae66c74f678abff47c09031d8e0090e5416d8ab9436eb9ddf45a861997607d6607bbeac34737921d8c2371137550
-
Filesize
1.1MB
MD564be2545a91cf63efbbd29a36dfb77ec
SHA168f8841d99a974682a1229d554cf0cf671a4fd9a
SHA256b0674d52e0e0b96262f35716b34313f06283bcbb269d1ae100c8042e67ee07d0
SHA512d6c5f5a0fbcdf794e996b0886cf95693e4c244d90a51ce70ee120b2e0999abd95809efe07ce2a5c3afcf42ab5fd936652b141be4c44f3a6fafda6d1c4bd87b17
-
Filesize
805KB
MD56eb798b0bdda2258cadfa54017718fd8
SHA144412ce9019643ec0b1e4cb4cb8a310426a22c7a
SHA256be435e5d47294563adb689614eae00bf5d57137078d0d0583c6a8b19a9a6fb20
SHA51215e3f9fc471f3db47407de6ac37f1109ed9c9e3fd87b056efff95773a715c888829ccb73998bbfb29b528bb3cd77d2df3a1d5094afe78216f327be238a57cda6
-
Filesize
656KB
MD567725e5f8dd63714385f995fa269e5fd
SHA1ffa40ac2c5f54beb83a188b68a8c78c074e5b5d0
SHA2567d891998ad63336727aaf45944a96391e8a7ae8e18527819c7d6ef03b5c36783
SHA512dc4ac5458af83a76952469d616627cb1800fc8c953a3691217f5b6f53a059a224258db77e6d2b4b8dd6000cbf1093c42877ce7f1c53542cae564cbb63afb9fa1
-
Filesize
5.4MB
MD55eea9ae844e50581137d6d029c7f833c
SHA121532063bc7b0c100dccb809449502e692098092
SHA256777190eb891dfc726d96b4481b5af5273359a727e44047e4d8983138ff5efeed
SHA512f15251f6e864152f7f3dfd28efab20d4b1192cc5434c7eebd972ee7453e3fb2224beb24de07c749c6212069ff46952a498cd5a450bcfb752ad7031ef604be616
-
Filesize
5.4MB
MD555d779e289d472b1941b789e76289938
SHA1edd3ef4008b65e565e3f74af2e02456a884b3ae6
SHA25611c263f90fbc91d0444d06bc46ca1aec19fbe2102f32ce7f4324116661d5f0de
SHA512d31c36e36b98d97ce27895fba910ee3471711266c5fefca2887bb03715ac0d468d094c86e1553f1060bed0b28dbe54cd852d1bbd2d41a6e0f2c78436fa237e68
-
Filesize
2.0MB
MD5920f0d616718c469a50b14ec6c6287e9
SHA1146545205576c2d1f3883e0e9d9e265453038b84
SHA2567c41a2a695634273a94fb177e237b807cfbf8c2b6a71b9526a1d9fec3e077147
SHA512f547b2d8d141ebd9099a76527cda2d0eed07432ad1ae191147184d447398d364f786a2a345778da3c1a7a817f456f2b8ec24a2126366d3778db4acdde0378685
-
Filesize
2.2MB
MD5882e00c22cbb8c6ea41c3cb813c8bd41
SHA19cefc5c210c881025c1628a6b71d162b29ad277e
SHA2569d2818c7900b54b5b391d0b3facdedf0ca461dec1555051996cb0efd3ccc16c5
SHA5120480c1a234de3fcbb8e136d010a40e6975ad087c7261ebf9c1087c2b566896d46928b3a6d93f0cee4b6a1c4b28a4bfc130b41b1cb556a33e6136f24715179a15
-
Filesize
1.8MB
MD5f8d3e343d5f7e2e190e1ee6005692477
SHA136d3e102069332f0e8ce1fbae3c6e9b96b9eace7
SHA2560a75ddc1f40a9a2f6c16746698cb26c7ba0e0f59df2ebaef6df875f212729c9a
SHA512a180d211ffbd2cc7dc8f13421035b90fdea0b4f4377a2f4d7a0c90261eea9495612c96dd2d771ac9eb306725d24429bc6d995937a747a6acad91d1250430a4c3
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.7MB
MD572a80dbfa0ddc8d19b5735f0a762727f
SHA1aae36d1aa12e08e2cc0ac8724a9129fa07c7b75f
SHA256078bb8182e6664e2e12eb8eee4cb85fef18356a2ba21ff64908d23fb0fb755f4
SHA512eb78ee98368f28a193fcd5ea112654ed188bbc90d5aa5beb37a766ab9b89ffadcda0ef9bf27bf81a86dbb5b110d7d34d2bc76797761a7e8d1fc23415ecfce3a8
-
Filesize
581KB
MD53bc2134a8c09a14d48dc5060036191f8
SHA10333f438c32b053fed0a0f642b6c68ad827208aa
SHA256e3e498a25081df11f73e71afae14373e85afb924d1e9354115809a1f918c675b
SHA512ff04cca077335aaf4514c74ea09b29eb5366c69b24aac49c03e6c7550ed1e49245f128a14173cb80eaa2cb2f4e3c74cf948ac0e2f0f9e3756e538c40c5ecf65e
-
Filesize
581KB
MD5191233a7cca8943806b5666c4146b91e
SHA121a084325bfbf429866d8aea3fd23daa029906c4
SHA25681b3909674495fe6efefce74ebd40cfff4f055b8b37faf9f1cdc7e9a7c44c6e2
SHA512b3609967b554c779101b9e31b9d286ac13d6948441107c9a032baca4552e4f4be669de281dea82f675b719d8298de87f02bd023483f92d2b469eecc71e458fa9
-
Filesize
701KB
MD587e193bdcaa196d62e8e5f316f536ffb
SHA104d604836874a10665d286f4f8a8fe961e767f0d
SHA2560cb897c1b600e390f03a1c67c313e6a6fe0924910380b80270cd8ef0a3106113
SHA512abf2fd877b49e6708f4b82b8bf61b4088f2e741dd0111e63855ab43ed6d61e32db18ba35d49e105bd8ed9eb9653ddec894888e417f3dfdbe6e82a582c77e9b10
-
Filesize
40B
MD56123155f7b8a202460ac1407e231fbf4
SHA113121f6000a380f6621bcb8dc7c83f9cd10ab626
SHA256dc3766fd1d9f14e305d5483a9e886548c3ff3ad2d8497e26a04c6d8c31e7be6c
SHA512ef2e48a3517f58cf068d2ed9e202ba4d2a54afdccd4937c74b5c84d5c4fd47d9b92ddcf3b842a102b426dccae53ab3bc9e571a5cf27cb315be4dc58bdaad34cf
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD59a44f42565956879c4a270210451081b
SHA19fa304df90d60e919206a86f7ec3cddb85b3c0b9
SHA2564be806ecb1125cc3a48bc4affbc52993a92618089c0729453d86f391863da6d7
SHA512e44695edce7540f195f0c8a98e9fc9aac7a7d1b75e5e5fecd243bb90db1596877b5f56f78ce9a1434ffdf4850c605f8d2d5621951d1c696fbd75e767e4fc679c
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD50794c7fd25654866bf3d8dad0fca8206
SHA177bce6e5837e8782fa79baf01e2bfcfc33ee5f28
SHA2567b3cc0c190562c58256ff42d5a4ba86e2124bd0b042dc652f1a0d5364275cea2
SHA512c48b74bfae9be68fee5f22b1955635c89cfa9c755bd0aebe3f32453158ddd11000e21b0846492ccd90fd336d8382b3ccceba736f51a1411a3b47a6b6560545d6
-
Filesize
5KB
MD5938c42f63ff3c3f0a1a2ff391b7a4d6d
SHA1a63e7a18fad5a6eb863399e0deb7dcc4e192c266
SHA25684c98460a2b32d19fe8e5f57fb9b2d6e2b659f0b65ed0310f6d823fe81fd222d
SHA512d25ffa2c9407b800e5025e82d40d53659d492eb1e76ea8f9568d323d6f8e6b92b94b9f1966ef470f92f53ebfc9d0bec01d4a148fc8f84c179360e88deefaeff9
-
Filesize
2KB
MD580c9ece824708be3255fd46fed4fa84b
SHA16ab10396c88f4760224c2820d198207c54f01266
SHA2561f8af8464e8755fd26db7cc2bf44b59934126100a43b00a66da96ef4bac4e336
SHA512c8e8c5ce9c0607264264ceb4ccddc869543fc5b9d3929ad42904cefd147938d6523ee61e5ed2f6f46fba1e6c92f8b6dc14300f4c6c7cfb295fe3274677d9ae2d
-
Filesize
16KB
MD53e57be18170517415312fb8cb9f16883
SHA1a8ce102066068e405f6a30020c64e46083cf7d2d
SHA2564cd0934f16026983720bea98ab2d8957c00437ed1b4921dc5de9540c5b1f38cc
SHA512d1d752eeb22125b1a25ef30856329d8af2e101066267d112682268d3a5ff34a652370a9fe40c219bf0f9509cf4fd72911308ccc57e572e9fdb47055c04f66a84
-
Filesize
264KB
MD556a300c84a138c53568ee200b3c89b24
SHA1302dd2bc07f0a646950931eacbd6321bce1299c2
SHA256b6f1ddc9f628b0f0f9293b9a01d79901c1fb9b5e522d7b8cdc97f3c0fa994c31
SHA5123f6ce9d9a9e2aa0eafdea38b29aa1495fa9033d74324c58cc879edee17e5dd23d344bf09e3ee69aef5d70304fde994b8776ffc6a429ae2baaa90f82ee9b72242
-
Filesize
7KB
MD53980f311841eda46aecc7caa7add7ed4
SHA1bae11b2382fee666b751703e76df2089b521e3bb
SHA25648bff55d43947042bab2d2bf67f4fdb3ebaeffcbfbe049ee1d2877ba465582da
SHA512184c8924391d2c01623d4fcdec5aa0c9b59d1e5ebfc1d004ba7736b2f5ae4d4a30757889edbe194db057ac9b3e17a169ec881bef3b7061ca8e582b48e7590491
-
Filesize
8KB
MD54a30d8ea465618050ddb78cea3cd4db3
SHA11c403f7e5db3f57d60915b62ced48e0f0c327d49
SHA2563f6cf93f5112a0f6bf3806605f87cb4f80307c5cea580e6fac8ef36ea0263088
SHA512dee6ad7ac28a49f4f0d98c239db877e985b00798cad2f7355806a541043978cc74eaabc6858760aafa7162f851ca90155626cf8e4d274853fdb49eae45117188
-
Filesize
12KB
MD5e88615619118f20786d9ce7d0ebf15e0
SHA1dfacf981e23809bc96d2c63e7e9752681e763b08
SHA2568a28b844dcdf2eb91c31ec46b65554a4a7c6c75d556b09d2177071bf0aa00336
SHA5122b5aef3eeaf6c860a49729a8ab705cb0f31fe84578dde7fb6fa68e46dbbd856e9116b38a31099426744979306b4f5c98aaa0f380cf1342081894b9131f32873e
-
Filesize
588KB
MD532c39caa621f6e0c57545526d422ee1f
SHA15ca27e6716e42c307e56df99c43ce4292c7cf16a
SHA2562672d27afe1ca57d1feeacfa5c3d671dd51180694dcfb58008d8ac12a7e9e0fa
SHA5124a5f52bb6d40b30ce2856b453b73bdcb7cf0bb883703deb0c92bbc5274a88b4bc6b94613875e94727aba753834c1cb0762ea1a8061088ac91da08aaf95113298
-
Filesize
1.7MB
MD5df04935f6b862e147923522cbd29ff3e
SHA192915591e265a9a1add4ffd28afe301c334edeba
SHA2567da0bebba5c221776142eb21447392dec3274c8b857b9ec1bfa17cb47b07f8a0
SHA51242ee35f7e6131cbc407d7ee4dfd1a7c90f0283b1ee2f26354b818f44c1ee16db1cb4c3a96a705ecb6c6f71923a3488ad4f8fd8153b268d4649e0467c4f569cd0
-
Filesize
659KB
MD5de975240857635bbc10a708fc50566a3
SHA17d3e30d1e9b7ff3a8befd140cbbc55f37bf30ee3
SHA2567b1cca4f8698eefe5805ea1d0d73f9fcdbe80657a51166396d09e84027084bd6
SHA51269ffc4469c5ec8f7a5729d8391f6ed0ccf0b5aea9a63b003dbcd153b537a60abe2e32e77de1ba0cd51e46547c30cc40cab6ee4ac25bbfe6c55e8329fbe9af9f9
-
Filesize
1.2MB
MD58fdd796f869358986be7a551cd00236c
SHA1fe2286cf38dbed62b2c4efa3d07d9cc60f91a832
SHA256930311c08174c78779233b98288bbb55bde55cafd3b3d740307227fc21ffdbb6
SHA5129b9587d3477a29936742b90ab10e67f1e7c9dd2562868537259748e00bee2bdf0a78c44993b753dd47a24317aad67389fa0fb2cc72fe6067cf7c7c40f7dcb339
-
Filesize
578KB
MD5e12e781512a20e5f08a9abd8de5b50e7
SHA1384378427b5794f6411f4817dc878ebfe22bf87c
SHA256bd62332bd69508f72aacd88cc918ed3e8609398ec14d9f686ff2e57592cf2146
SHA512a3c6f21cd945a991f74b59ff4f2aab4d1ab5b3bb244bb1927f7c0c146abd4a9949d81cf9db30a890ceb4b3707a1cefba330e969bea4bc7b47292dc083c82ccb9
-
Filesize
940KB
MD5e34bf96c8ed2a88fbc498dda81babc1e
SHA142f0472885a50798d2249066c81d52f260b8c7c3
SHA2564c6631d09b6cd6ce75553f0f83e8a9cd072e3afb67a0177ff00a81024c8c25f4
SHA5129cf7160d1bbf1372e8d428b5d8ef248eb4b3c8f94c84ee850d323e0d3139806b343f9e71ec069be055fa2f310fc8a8f0572eb5301538748281b8ca9621663940
-
Filesize
671KB
MD51810a4dbe22b833ed3a0d0630c0bb1c2
SHA1fecfc79fdc5cb45db905d35985629106c5462a1e
SHA25602aaf542a4cb5e4d864044dd6f22b76af8f2e9db855a7f2a7541f3fd3298c0f0
SHA5129c9af294dc288521ab591675dfac46880d634c10930cef93cdc6df15f6b40c049dd25f057f0761498936c40b9db20b4e889de82bb37ec68a81ba54a7071357c7
-
Filesize
1.4MB
MD55b3d14d0bfe62a8375d517214e2b591e
SHA15bac00bba01a7afe292220b566eeab138e9bcd74
SHA2567f903644b74c25722eb370450975d997d61c326fd7cd026a5b156272ad0494f9
SHA512e026cd724d0f60de0400b6af807fb96937bab5489f5969c26cb1de12747516eb97b187ef54c20e0b39cafa381fdf3e83ec7c4e5e3ea8865c66b7dc7129ff4e71
-
Filesize
1.8MB
MD59ab9419a59cf668b494e30b10c659570
SHA12729e23a7003c4e7c4b781ac743848a3f45842d4
SHA2564a154002f71b54dc994c1fe127806ff4ac39c783e1b0eaaad95d5cda367838bf
SHA5128b0c3a13f4e3d22f4058defc2c67f0a3817916391021d4070371a60be072de66f158bd90c23ddca8adb44cd2e3780828f2ed620452950e35b40629b89269d2ad
-
Filesize
1.4MB
MD584b7d46b00472cca67c6cb674bd31d85
SHA1c96da1947e66e853a8affd205c2cda9e85d75e94
SHA25691424296fe8610f402db558ce402fa679da6df67432824cbdabd9bb97076a122
SHA512377894831bbc11405f76678385022d156155076cc05e2296f2c7f2deeea5f43a7c252436beebb1bae0692d433472b4aa54bb529d8e195dcddcf588366a246d43
-
Filesize
885KB
MD5403784bba5bda1609e61c9200da95c40
SHA1b980ab04497316b4336332e7257f2b4aa5630624
SHA25605baca0d561061df5648351f5a4401ae608f112a9448a9bc48d9ed8086e64d35
SHA512d939744dd36389dae53e28f386308e769ca039725bb3e07efc9d4158e4787dcb061f8420be270817ec257c6bc9f16cbddf379bc35398ba54cd8ed9d99e3adcdb
-
Filesize
2.0MB
MD58e5d07b256e5716e402893f4d50b4370
SHA1632eb60db2ee1694bd428fa0bd98f85eeb297ef1
SHA2560ee8d4933a3347410d74dd5e4920fbcd5a7ce9611db1657268ca5df3870ed501
SHA512b21b2ca014eec4822ea73a81c0825a71700f6a571a2ab809389207e236d93096291afe1cb5ab1343c660975b49480f3b66f8284f590d56ebae3f9d7d3f388361
-
Filesize
661KB
MD53f29ea6bd7383a11245e2764885d6d65
SHA16da26ea3e3567cb5a55691af2810b99c854c8ec4
SHA25611659b021a428a31ae99a53581d5de26466fb68353555cbb26d94e4766f01711
SHA5127a2606dcb15d8db3f4f0f6adc148a1c1604045ce32fa4a8522a10148d016fc87c8749b9bdbc8f1e9db336817f25bced4d68091c5da0ae888cbd63454d5059b3a
-
Filesize
712KB
MD5dd31412cf88283cf8b30c287374bd161
SHA1d0908f3f2268b4ac9a0cc78c66f4c06f9f7d3855
SHA256e04c3add444d88ced343f12234294a4170f73e71daf496f0994a608cb1d04df9
SHA51257b02e1839e94f4c97399d42004b0a1257c7e0245ec7f3e1c9d43f9430a0c91434072ebc1c1e053f941726ad8b73f3e7f60a04fd005029f8d0dcf48dfd22c271
-
Filesize
584KB
MD5e8c3167ab818bb723bada824418440db
SHA1480001f782c9a9ba17e3ebbd9d6a49226c57d53a
SHA256f9a0cca133b35f9d067b347c4a91fbcba835ac99a013c76dc7becbf9951e70b6
SHA51249b6c476b44f67d4c0cf4240d1dff71230d75d6ab812df73bc67d95653be0a1b2eb316beec87fdf9eae382325f3f800c177a99678aa64d2cae190d4033a2312d
-
Filesize
1.3MB
MD511fab0919a389e2e3fd103b8043d7e18
SHA196087d762c14b6e559e3675c2a132dc1178b5411
SHA25684bf5a8265a8c92573121b73525f25de5332d911a32e5cdcb79fadddc9933eb1
SHA51229d78ac37d8daf1d5e65bb510f90588b33ec5290b9390c84944d2586c45a3b41687254acb3b6dd2d55dfa6ad501d1f947ee7eabf8060f8bd370ac64dba7a5281
-
Filesize
772KB
MD504b41beb952f0a94c416df0db122bfaf
SHA1b32435b652d3d332b95f8d73f0948e57907d98ff
SHA25675fa7828b0b7a7672991b6f07ac4051a9dc595e8111b4ff340bb9f7837f205ce
SHA5127f4feff37891809aa3dfae8ebd66da0b679ce7c848d6f08fd0393d3320390995c8efc3837e81f31bdadb1d71234049626fd22ff81da448d5d12c84499b7af567
-
Filesize
2.1MB
MD5cab565d2b5c6d0a42f255fa055ae64ef
SHA1ff812e8b8ce0b3ac4bf9ad921301f6773a29e85f
SHA256c450bcde2e0aa74cb7aae12844e733c3a69655c600dc70f75850a7a7911ddabc
SHA51206f85e283395e79d7fae4fb15e52627e32759e561092a419630389b1b885f07dfa672ee7d64baf46acacd062837f5680547762cb42941f81bea100680d2bada5
-
Filesize
40B
MD5f8da1e3912337378c0f722f616cf6aaf
SHA122482c3e69a3b76d24d4e88d30e345654afd0338
SHA256342768ee193e599905624366abf160660028ba384d57ae4da8734bc9473b010b
SHA512b72adac4dc3ef8cd0c1275eaf376da652f8aa271a162aac1a54571f6f93c0e5fe9fec69a9cf380f84fa3ce438f06e3c9c2493a1d422f5d1bf4c46d6962ca9f47
-
Filesize
1.3MB
MD5ec12663554c7ca0f415bbbd09b016e13
SHA1fcef4f6cb5e850246d8d7609d2a6c92e4d2c826f
SHA2569383213bebf51d3830ba2433614176abfab76105b96b1b86d663085bd7b643c0
SHA51233532aaaa049f3b4b24db1d3a8a88fbcfa136336c5f3175a00bad2bbc2a4288199af1c6ab26144d681dd20a773fdde06da26dce0ac980884f56fa9ecb12f3590