Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 17:59
Static task
static1
General
-
Target
2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe
-
Size
4.6MB
-
MD5
867049caf261d98c32e829522c753d54
-
SHA1
2cac563503d1e918c56fb10964c5cd3a8816e21e
-
SHA256
6617797f33ff6548403ef530c0fc633ed401c3fe485844a582f5d816527e4985
-
SHA512
b3aaea91f1f6a74feb13e13e292ad70b2f4ee395b572644b145f26e569f66521d233432f8d6fea112ec075a56f841971b83b5482262ec66f86cd41490a234f5c
-
SSDEEP
49152:4ndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGs:y2D8siFIIm3Gob5iEQB2Yyjl
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 1964 alg.exe 1452 elevation_service.exe 3308 DiagnosticsHub.StandardCollector.Service.exe 3052 elevation_service.exe 744 maintenanceservice.exe 4816 OSE.EXE 4400 chrmstp.exe 4256 chrmstp.exe 2920 chrmstp.exe 2392 chrmstp.exe 2924 fxssvc.exe 884 msdtc.exe 2616 PerceptionSimulationService.exe 4312 perfhost.exe 4304 locator.exe 1932 SensorDataService.exe 632 snmptrap.exe 4848 spectrum.exe 3500 ssh-agent.exe 4420 TieringEngineService.exe 4104 AgentService.exe 3348 vds.exe 2964 vssvc.exe 5112 wbengine.exe 4984 WmiApSrv.exe 4332 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 28 IoCs
description ioc Process File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\371c1ffcd590e271.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\java.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\java.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003283f84d29bcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc33094e29bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d620f64d29bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009690874e29bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 2784 chrome.exe 2784 chrome.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 2600 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 5556 chrome.exe 5556 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 2784 chrome.exe 2784 chrome.exe 2784 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 460 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeDebugPrivilege 1964 alg.exe Token: SeDebugPrivilege 1964 alg.exe Token: SeDebugPrivilege 1964 alg.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe Token: SeShutdownPrivilege 2784 chrome.exe Token: SeCreatePagefilePrivilege 2784 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2784 chrome.exe 2784 chrome.exe 2784 chrome.exe 2920 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 460 wrote to memory of 2600 460 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 80 PID 460 wrote to memory of 2600 460 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 80 PID 460 wrote to memory of 2784 460 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 82 PID 460 wrote to memory of 2784 460 2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe 82 PID 2784 wrote to memory of 2536 2784 chrome.exe 83 PID 2784 wrote to memory of 2536 2784 chrome.exe 83 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 4972 2784 chrome.exe 89 PID 2784 wrote to memory of 2792 2784 chrome.exe 90 PID 2784 wrote to memory of 2792 2784 chrome.exe 90 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 PID 2784 wrote to memory of 4660 2784 chrome.exe 91 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Users\Admin\AppData\Local\Temp\2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-11_867049caf261d98c32e829522c753d54_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2cc,0x2d0,0x2e0,0x2d8,0x2e4,0x1403796b8,0x1403796c4,0x1403796d02⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb55f5ab58,0x7ffb55f5ab68,0x7ffb55f5ab783⤵PID:2536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1924,i,5553202773221836264,2353414645732243035,131072 /prefetch:23⤵PID:4972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1924,i,5553202773221836264,2353414645732243035,131072 /prefetch:83⤵PID:2792
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1924,i,5553202773221836264,2353414645732243035,131072 /prefetch:83⤵PID:4660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1924,i,5553202773221836264,2353414645732243035,131072 /prefetch:13⤵PID:3352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3196 --field-trial-handle=1924,i,5553202773221836264,2353414645732243035,131072 /prefetch:13⤵PID:2660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4384 --field-trial-handle=1924,i,5553202773221836264,2353414645732243035,131072 /prefetch:13⤵PID:2760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=1924,i,5553202773221836264,2353414645732243035,131072 /prefetch:83⤵PID:5064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4620 --field-trial-handle=1924,i,5553202773221836264,2353414645732243035,131072 /prefetch:83⤵PID:4860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3912 --field-trial-handle=1924,i,5553202773221836264,2353414645732243035,131072 /prefetch:83⤵PID:1580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1924,i,5553202773221836264,2353414645732243035,131072 /prefetch:83⤵PID:4976
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:4400 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:4256
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2920 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:2392
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 --field-trial-handle=1924,i,5553202773221836264,2353414645732243035,131072 /prefetch:83⤵PID:3600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1876 --field-trial-handle=1924,i,5553202773221836264,2353414645732243035,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5556
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1452
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3308
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3052
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:744
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4816
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:5056
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2924
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:884
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2616
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4312
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4304
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1932
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:632
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4848
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3500
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4580
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4420
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
PID:4104
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3348
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
PID:2964
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
PID:5112
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4984
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4332 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5480
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5504
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD56b034c3b0fa8cf019ebf10fc48673103
SHA10923a12fec2a41d33a15b06941930d3bdfa58e5f
SHA25673bedfe145acce597471e5303916eaa0071472c6437282cff04996f17e8bee2c
SHA512e7902fec428257c8a3d11eb5d2043afbba26609c563cdf75e01a0f4b03bff18ba10fbd3d27878aca58525a6d1bad21c6f5c4cdeac4deefc727d23c340801d8d5
-
Filesize
797KB
MD50373230536ec4d12fb6391d10d646af1
SHA1d901b9330249c2e0c2d9cc0b649200372a0b327a
SHA256f11d83f2fe8007c8270f74f07de44e7f98274042899f7707fa94d53a1be3ff2a
SHA5128566e8abb579544508f8fd7138a522725d055f6c7508a94e98794378549bfc225e78c3d5d876ff4764b5efc08bffcd06ac5908071617aec7941ae1c9923ea4d7
-
Filesize
1.1MB
MD5a179e9e1b00854483c7b543530dde253
SHA17b99da11c60aaf676acfe14f41b32d61dbc5fd94
SHA256f7aa86402fc8e5507ccb0c5dd15850ceb853684ad48e1b0741c08badfc0aaca9
SHA512155f970fbc98a10d5364106e4f781d94bd570bfda10385c09f26d27a93259bd98fa09b56215cd54c2429d09932b71859f43235e34485373457321ff0affad30b
-
Filesize
1.5MB
MD5e04c4673acd1bd69044b0a0434546aa8
SHA12e41de47ec8eeb29651810291d3b5e917e96c40d
SHA256823552759cf5c05feb4e6ec945ea48cbffa5b3a6c9b11eadf40695f0711ab92a
SHA512d8632903808ed13455af5b190f0068d112cd46c6b54424cb3179160cd34dfad1d1060af2362127ab638a3808f34d271c5677d715fb2c7b36c0ecacc81f859472
-
Filesize
1.2MB
MD589da27c59bf0cc7e77a1ca1424ac3480
SHA13fd36cd505f100fc3ff1096e308eefcc63733f09
SHA256602b64ea36289efed079107a0094a68b7f9112199459204afd8eb1058f08bf8c
SHA512cad032cfd4fbd259b279d02d70352da302808d3d8a409b1095f971f3799d35d017cbb9dcb76ba42a6bd4f446542047fc1927976c6bae2a2a7925a3aeb48f3a0a
-
Filesize
582KB
MD593b0ccb3a03e5e0e74a8d749ddff4cdb
SHA1a2f51e6c1453d53372f1c166b2ce8619afd71604
SHA25613e89b99e487ae26399445fd993b2bb7bee66f2d8cef2a27b8c98cc8758ccf4d
SHA512625b7a0f0069c6b67977bf6d246e4ee459e63d8bc57f3834d27af3fcf5f09b44d897c97cefd50662484004c73bc05c96d4da7efea31183f0ec39ba51c7ac012d
-
Filesize
840KB
MD5830a4e6e7a3789991fc40f991fcfc7e7
SHA10c93e3706ca097a2b5285ec8027fdccc7bf632b0
SHA256f43d9be08642d9bf262037465870c7efc9609a40899bcf89593116c3906ae596
SHA51291f24be8bc0604a55285fc6c61a8ad22ec8dfb826373d56eb9a8ae0a730efa3dbde74d8f695033e8e55f0954e8d092c9c18f74dc1418074c7b1c22d424b78d92
-
Filesize
4.6MB
MD5cd5d96115b2744a5a8565c5cd0790bca
SHA1ec19fe5c5a17789cd0a1e9d749ee8215e5418e4d
SHA2569b4f9785cc9387b262a6baf83a4dd257a1d52120439f89ab252f7f3e5ac73eb9
SHA5128b6a8d6d431fbb708d0986d99aa6961c5adf5419c9903c9bf38597b45e88b8a50482198b673d99172992aa20af3c22fd410142f585a5ef286775cd0285175d6b
-
Filesize
910KB
MD5ebd5762d3bd81ef73da16d34e90f2c80
SHA103a4a4ffa9664cd11179f43f4ef30d96dcd125a1
SHA2565e4866f968af67042cada256211774c42e71cc2cb04ab7864c603929546ee31c
SHA5129255e6d2b5cbfe5c005605089e4caa2e30162d838cceabd658f7de77cb28e0fcd0a4a841d7f7836479f87ef6fc5d376a51de5ce74e30c4edfdd1f92ffbb776bb
-
Filesize
24.0MB
MD50228841ac0d8205c5d5c3ac2cc7a00db
SHA12fdd59e7f64e9f8f6ed79b8dda259a403902ed52
SHA2564742a8fa3f2e80db17f4d10d538a53afac93b20e883fae0eb09a80c3e2c82352
SHA51271c2db7df7868bfac236855660306c9cfb824182a86ef6619bda491d1356e64e56ee0b67efdeeab7e89c1808bdc2bc1d0483d7321fd871087cbdafc79d6ec692
-
Filesize
2.7MB
MD5ff84a51d93076518e6d7577ccf0f39e8
SHA12bd501191fc6d1c3cefa8fc851acffc771424959
SHA256627792a73c78bac4db02edf6acdcbe674f6b103329215bd11f08aef227372c2d
SHA51202893466d73105e8c18ffb49b55d86fe1c3f1c512cac8431e15ce510c0aab5759918c92c9679a4f0296600f18ca4d5cca0ebe536e66ad5d61500d4eba2a89163
-
Filesize
1.1MB
MD51078fd6feca65600f041d1a90375c853
SHA1b7f19410a1aa897cf36b4f4fced4286aa8889286
SHA256cf75dea76187dff2cceb9c738c8ef7e33ae8606d695d6ba8398e67b794575b94
SHA512e906d0c6ee3cb24bc53e3acf1c1e809f4c0e08544d12b6bbc07af076e765ed83ff272dd191e0626c5c03d59ac0665376ad062c77b97e79f61e69dbd4c1731f03
-
Filesize
805KB
MD53b0c6e4b06c0aae2d71c4bfba4457e44
SHA18a324024a89d5404af6b20896958a3a0d65ab854
SHA256c6f337a20d5bfb89c15456e2cdedbf0f1115606ba480ba2d64513a0b79499fee
SHA512099eb44824088e10b665a141aedba9c3d825f8bd1d1d551b65801be1fa9d6bd562d9c443fae78847ae1ec3449ccb71cfb6e6192a5f5550c6b289c335d48aeeeb
-
Filesize
656KB
MD5c25b0029a553d47d4a9d09f9b3202a8d
SHA1f6ba1dcb3f5a332658feb7d90478f3cf8c47e4f2
SHA256a2fd20b7222d2551ecbe23f6f00c90dcf82863a8a887a0f836240ea11a0c156c
SHA512de6eb1aaf64a50e74ff92714d89aeec6f58ec7413378f4bd214acb76b7bf008f1042f4fe2a05685691c13a0ea374a3e5a560dd4ae29398065b0cbd5a5f2f4cf3
-
Filesize
5.4MB
MD5f66d7f2137f8a20d8432055237c0f7c9
SHA1832c4aec8512dc66e6133cf4a5782ee2bb4c2520
SHA256eb39326c1eca040b8020800bd3c829643d1e3c7269e84c0d0ed25d8eee390dad
SHA5122882aa0fc756f2fd68fd05d5afcdc0fbced23947f3880646f0db844544f4fc908bb441434d7a14f6d77c49658bbdc7dcbea388a0b02f46a8b30ac7098c26ad14
-
Filesize
5.4MB
MD5a3cf6ebd7aa20edcdde90e959db4a1eb
SHA13ca76b3980baaf09d0bca164fb9cde226612bd14
SHA256eba0b40cfe7e74982c9bf0a091f99e96e05f766164e401e047a43375f72ddf8f
SHA5121fb3710320d2752a813e1f59c7cb6fbc56bdb488a91d734201fa6c6d62ee1b503db2eecb29f6bca405fa7c700285cff9dc27763dbb30a0b558066f0108384163
-
Filesize
2.0MB
MD5dbac2d1684f10d7be3798d6556bf11eb
SHA1d6a7df96a36f6c489cf622197ecab2f51d25f5ea
SHA2564ab99ca518de4d85250fe62bd2c8c49533cdd840f0b3b397a5e03177e298d172
SHA51291c099ed5b3ead4738bccdfe1cada32cc7e90515b1c767f08db444d7171326d80df6b69ba2bb64a7702e71b77170067ab6eb2a2e09ed12bc19f5d92be179326c
-
Filesize
2.2MB
MD54104273b94e263806f5d4492792a3f1e
SHA1b2512ec2b4a0652a7f1e5356eb83600e1c577c0c
SHA256532d40a3d54c51e53da78c9a1c6d28a27f9721ff2bc717bf7f66acc13edbec62
SHA512464d603e5a2a0baa76e60f826182a854f97fc676aca09dd714ab377f24b7677590fa66988cba8039aec83227e153d5197a8a75b2a481ba542ddba0c29b26b0f8
-
Filesize
1.8MB
MD56ca5ed1aff884c4435a50c5a6b18ee3a
SHA1cefac3fe5ca1da169014fa6060153d2d36a8ce91
SHA256de62163f65e227722bd2a244dbcf6fbff5fcf25754964ac48f8b01f46683d21d
SHA512d3942a3f103db1e258b40adcc4b077f226eb4f7db59dded3a040a395e09bed5a4c208cafa2d6d9c37cdfd58cf4702a9a01a5bb4350f5d4c4cd8b74dc6fb13b3b
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.7MB
MD5daf74cac7a43b5045c5e30349e70fb14
SHA1f3155896107c54b849f1cf506b2eff2feb6e0e41
SHA256cc33c183ec3e45b2b259aaa302b6a4d1688e365867f2fabb35c08710dff1fa22
SHA5128d26c80938d465614a5ec106ab35516efdf6e5e5a764f7a91250893a7e2c123e2993e1638d9cabb7abe6b36083c7530b760e7ae65f8121dbf54e74e02bf15834
-
Filesize
581KB
MD58ac7e2338db7c8622d7342514312f52e
SHA194a4e32cb3f0544a8f4a0fbce8392d870ea0ca9f
SHA2563bf7ad21bc70ae9a633745d3a1b5771816d66a16b2efec9ed0648ccaa16f7508
SHA5125d02e14b8e2ca6de7a13383d21e44343e0e581ad45fe1dc849e131d10ad3fcc0fa7bf09820512336ce77e5ad1183dcf88f040082cad7a0b0ce59b2422290c2c9
-
Filesize
701KB
MD548b70b6917c3310b227181a71a8a84ab
SHA17e44da54c06b9748864641fa13684c2fa05365d9
SHA2568901b975bdf2db951fe67ba0ac8e01717a65f0f94b138b3bf7ede0f8b1488c3c
SHA51240c91bf47338b16b34a0a4b81232ea9ccccda7e9d64573d6086856299ce5b590f686814f7135f4b3ede901c14ec6e84bb5a4d116ee35f1dd25b67b2c43ac1e1d
-
Filesize
40B
MD5ecca8993047150870094c763386eb4e0
SHA1e77376a1868359b6270fe9924477d645bd5d7d1d
SHA256bc2822a5efb199dcc655254b162e8e690280697a639ba9b6901133798470dafc
SHA51228eee493fd526ef4227665583b28d600954d71babf027c2aa6bc8d72684d4ebe8b84436dd75a7fe29b6d17c8fd91f27a08e4d9deb53e8460a518bd7c09ca297c
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD5ca5cc57b22514c0d3b8249474bd087c5
SHA10b00dd195548cbcdd31b6b39168d90fc5d4a3015
SHA25618d8cce9afa9386568f83cf7efd876ae56116e1ad59e2c151229dcfab3c921cf
SHA51272cd48c7e57212333210cbd2770e26079172677e5549cf6082c23e7a9a7b8c9792f872b5555d93d2452d6d62e3d9de93afc2e2ccef7b571cf95a595ddf9fd24c
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD58255b2324aef0241d59e302ca76b2a16
SHA1a03ef70cd812661bb323623fce663dec9a80da92
SHA256696a4b510bdc4f2377a99118458def32d13f023db2e3612fd5df979a38599ffe
SHA512d87b6f72e2c2156c45ebff2f318a1c7f482e1bf26fd150d79ccd04e51baccb336ba2fc249e7320a7671790fd861b7db7ff80d22374fffaad3cb0f5eb3a52502f
-
Filesize
5KB
MD5ca44d7615667402f64255d0cd16fd37c
SHA1ddc9f0ff73c422eb84b370624163c2ba6543ab05
SHA25650a8e727ebd93a6b93631ae1f01635e39765e9d2a19c00b0129f0ee49cc88982
SHA5129695665f7a2fb91053fef809ddd20bd478b05382756bf19957b89d7e8f2b0d39f7a5cfe775b7d9b4a0723cd8aef99de87d013b554820614cafdc7ca433b335c4
-
Filesize
2KB
MD517452b252e572ce0e1d15bd52b3d96dd
SHA176e11b2ee8ae5cfbac60be4c4f1609879da3586f
SHA256078b9af3cc02d4ce24f484c105def6fa6ab3b239269d39b503bd592cd8721ca2
SHA51223c427290207f4496388e375917532a84121cd606cf36e804d2c30439167068e4eb43930ed32d406fa86cca6cd7f38d3c4f2f3f0bfaa9e157c6cec6e1e8546cd
-
Filesize
16KB
MD59b0fa12795cdbb4b51bd6a1829150669
SHA1e528e2cb7cdcebf7297db5ac9784b79c4ac9637f
SHA256aea13147468806cc460aee5f4d015223acd6d4da1dbad49547592249efb6030f
SHA51230406ddd0b80bc0f8bf9aabb07893e89d40e31b7888e7941de032e1e33029c5ba8c038949ecdf6c0f91b08dab14fc34d3ecfa6a96573d7e1a54bfcd518ad6a10
-
Filesize
264KB
MD571e8082876a673c516fee57b8607c9f9
SHA1432c7962bd1eefdc5ce67560076207bebf100e03
SHA2565f4beefae8b752d4e159c72cc73f2c8bfe4183944bc61932780057559ab6c01a
SHA51280189fe6b96fc5ce3407e0c81c06be227a28ebb9b9b0d5e828a8cf9bb66a3e6509c51eaf939b65e5fc3f14dadecfe58fbd3a390947f2153b2b77d4610c62eade
-
Filesize
7KB
MD5217897adfcf94155098446eeba7df24a
SHA1f3972730872448739c6850ba56434606094dbb19
SHA2568c4fd5dc68fc546a9a64f9ec7330f2e7b418e6aa27fc085124650a1eb581c698
SHA51291e02720d4251820b5023315adb8d12770cb3371bd6758f4664eab15ece403d3716007c67f70d352044cd0a4b7d54b3b6e5d52211e5081a8dd86aed161cefeac
-
Filesize
8KB
MD5cd83c2eff1dc2df3b0cdd7d14edcfac3
SHA1380422c0ae95957eed9d7dc084564e2f626a55b5
SHA256b5dcca6df22a72228e8e3b5f3b9fac391f0806da2afbcc6ab6e04dd1b6060a68
SHA512c33f4375f19d5b2a40199f75c9ec5f6d125c275397470925aa7d57dd1ea8607c2ac10e12819e6d48885273677ce55b0a88106cd70b56d5e439ed3f1aa532bfef
-
Filesize
12KB
MD5a11fbbbbe205c1e191de9eb494e8550d
SHA1b4e14179a63e34a84306ca66ba5aade5c9dc3c6c
SHA256ce09958eb94c6effddee5d4826eb0ab005b4e71f98f45fffbd77aeaf5b665c48
SHA512327d364c0a76e6a3004cc04b1600e0e4c34a5730f4651a2b89dda7a74fed412bbfc3d575b4e1714fc207e1102e30ea5ce169a892b7efef9055465e6265e50aef
-
Filesize
588KB
MD53afff2c4f8453103169c2bd99e90cb8d
SHA1c7d4f6294ec8db50509e3358ce0cfdd118f52559
SHA2569ab481ca460a17bcb77b9a31ab4710d8cfba9e9b13c6ea517f5cf5af1ad1f363
SHA5121f8b50231c1e043dcd04e1f764d817aa5fde89fa22ae5b1ca3e6cec6ab7a4794119c3a28c278c689aabd9377d7e57398ae0b243888aad1d842f58aa8d54b9a42
-
Filesize
1.7MB
MD592aa10ebf03e520e097fce5c0228a4f2
SHA16db83c6bbe32857cb41c007c5584826487a94ed3
SHA2565a92de944a20887655fb87d6e3bd187cbec3e60dfee56af0845db56d420ef958
SHA512b155ceba9c5c535f7de09cabde87c8e857ed5b80d448dde6fb4885adb61471b850013d92e181ef063b9cdf56a5cbf81ef45e58a648544a5ed94d2be225f1326a
-
Filesize
659KB
MD553b1bc87c6e0be0eac5304ca1cae3db8
SHA136e39138029ffc63d21cd8f5545a413c7ff6bcac
SHA25665099f6274e0b7096caaed5e2ad090dd8246c3bc50954270004ca8f3eea63442
SHA5121a39e0fb7463483fc3a59c35748ca6db948b61d050b4690c3a033a128d8018afbeeb8d199c1fb20c57ecc8a7639979c68d966ebd8bb5ba6ff757dfdd52661c13
-
Filesize
1.2MB
MD5b8b20233daeda3aa03a7447188144ee8
SHA1983e4152426819747ba65bf8d5b8e09a45b820b9
SHA256c638bc0a367b308feb8ccd8e2be67b80b8ca5cbde2a733588a1ee77887c27062
SHA5120440f4d3ea676869c313ef660f4b11ec2e77aa485febb5ecdd8f98c23c50f669f063905a26db4a89d56c416eeda0b22678b6d5f6ee4c1aeedbe79b2c350dc727
-
Filesize
578KB
MD577842777d9da82398bb8722a0a2cf5f7
SHA1654ff71ff42d43ce206e7b9d9e1e269a034faf6e
SHA25624ced524f9bc8662e7ae8a54aa7fe2a08fe678833099b2577e537c0789aa573f
SHA512ab4bed81fe72a0936d3e415c8ba44cf73ff0e4572591a387fbfff97b29d7e28b79bcf59d61544d16304a7faeb23d75fbe308fdfc5ade1844b9873379ade38618
-
Filesize
940KB
MD560dfe5c13cc9c0ab23439fbb4275f2e6
SHA1c5a3c4f8a9a7ff053fe27d41886c74c9c74612c5
SHA2567cbb6db174094b14735df2caf0e493502868504e16caaed261b5785313295e94
SHA512d3dfaafca52a1dcd86a7f65aed98d122e4a0ea96ec9e22305a481aa78319f9394416a06fb0ec5c6ab08ffe88fe94f82b06d19c77f1c89136309fcaac6897d1bd
-
Filesize
671KB
MD5678b4065e3da35650e58f8efbb35a3e5
SHA17c5b87fdcd61e3bebd91a35c93ff10511fa3a405
SHA256868c134ce6a45490db574cedcbc47e194c25278aba5ca935e21108e46172c4c6
SHA512c9e5b0464df3aa052fa22b07286046a9f8b88159eb25e27ceff9970b371c45c8d156b84d33ffb2ebbeb9767a7491c6005fccf053ac1b88441f298c3a7b835686
-
Filesize
1.4MB
MD54bdbd2b0400d9025824a1831484cd635
SHA17d812f135449343e831e9a59e7a756bfa46eb8ee
SHA256b356999951c88bdd94825f62659f90286c750c77a6f5112d025c4a9127e27a98
SHA512b727d0824c23550a821d9cc7f020f3ade26e008936b849beca27dbfb94a6dea945acf029c33a415ecaa7af90174bef2e2949d08faf475e09a5f21c284e4769c4
-
Filesize
1.8MB
MD5ebdd56acc49fb73ceba1e15fd833ce38
SHA1d5ddfb400ea43e32e071dfb0044c1ca21c44bbb4
SHA25608a7c8a88aff3f2e48af548893d01a13c88fdf57c928da60fdb9c90aebc25c2a
SHA512f20baa789e18d38e5d38dc4237c3b37bebb766316edf21e3d6b3de227c68224c5af5a21ebaaee2115ddd716c97b3c974ad7f99fa9c8f4e5d9be5a29d678f578a
-
Filesize
1.4MB
MD51cb27b8c196a1796ba7b4987df8fc0cf
SHA1c75b4b8a2accd94fe02356406cf628497efe8105
SHA2566c958bad230d807231ebff37a66969b749da6efb4adb2f311294783542c54bed
SHA51232e032b47e9a270756697c6c8ef07e8cda6178f25ca897bce702c5964ca0a90619d49fb97e53d2375c42482fdd86f955144e62dc20f94adce7d8ec902b67c86e
-
Filesize
885KB
MD5604fdd972d1a807f87e38b06880afa44
SHA1d39c4008293881957d23d7c176c0fd0c57d453c1
SHA256d5af352d32ae5c344b242250b87d9ab73c4c9abe6c1c28a813561b0f15632c35
SHA5129b87fdc8b8cf7346eda3fba839bd747040614a34c9867c660ab712f2f004e6153a432e122c486023d5a009f4b7cf3819503cfdd9aa0289c290eeaf70a1331379
-
Filesize
2.0MB
MD50ad12b381d50c1dc8300cecbc84d83e3
SHA1b6016e2de6d3e177b924bfd7902d0145631b9d66
SHA25697d89f0db331b3829f698e27137286baf9d79bd3616513184169f71cdbbb7d77
SHA512e6707614085d19a3c21b0b940b44af125aea1f410b4d85d72f3e0eea6653050943ef3e1f7cf76a9377003986ab5d1734e572fc6ec363edf32c13879ac515972f
-
Filesize
661KB
MD5be9a6b9c106866f9fded265e4fc32d8b
SHA104c42738e1a043e808a02dc6f6281681073538e8
SHA2568c751ddcb1e7d62e7138cbf0a36cff998b0138c9adbb027aaa2f5ccd484bfd3c
SHA512f7ddc736635ff04a639dd538f65f3756a9b862ceedf12ef308a02cd7ca61d19540cff08cb17230233de1f5a470c811c781e63272eedfb9e36f3307be9a7e5bd2
-
Filesize
712KB
MD5a3df36e9a947ce42a5f1e836d8176451
SHA112b6a4c42863f60c327811a058c14213475b4c42
SHA25617b11173cb94d693c0184edeb24c1f3d049664df6275021103b0ef8e50fcafd2
SHA5126187ec94fe3e6f4384d43ef8305d48f2e73ad04abecddcf45a59a72abb11aa8b7fb81c839a662766cc8ec85c6edd224c9b027faec75facaa00734933bbe866ae
-
Filesize
584KB
MD5e44d5ee4e972194385af8aaa49abac6e
SHA1ede3c6c6dd11d335292ef040a82a67633645b708
SHA2563e5ff6db276b16890b8f0ac4ee2f6058f2108d83573cd53cb99a425f5a558445
SHA51288affbf26380a55b582cfe98cb74f5e512df56f5b3feec6468a2d53d02ad64c90c777f8c595451bf2dfcc01a6218c0ce0b7712a8b21f928d10b907d447e4cd21
-
Filesize
1.3MB
MD5d07f44b46e8ed84443e09defcac077bd
SHA10949a29e5e58df24e59499fdf86fbed69079474a
SHA256dcc985bc8bb25f12ced451c0f3ca980e8d2a8be24f2c56996f7ea57d6f5f412f
SHA512a828d236f937f2202390ed126dc2361f79e003b28df4db9435e59f4d9d6629e4b762c54e5dee00729655f9f0ec96a5132041f923c92e8ed0be7115d2e514f580
-
Filesize
772KB
MD5a5a31623966f0e973d24148d2f238c6a
SHA11f4400db3ee69d16dfe3c821d7a96a2b0fd181e1
SHA2564b9d6001cc34ba182b300d0c92d996603dd46b7cb23a55f189d5f08ebce0e505
SHA512fce77b79b73f5f43ef8e2fd689a5c233cfbdbccca703427f7396b567f728e26c76d7dd16b13b07c7b90bd34e37d21d720ee7efc5dbe6e9517733a15bc473258e
-
Filesize
2.1MB
MD55f13c3efce8652fed2ffd3b00f942c77
SHA19c356fd2996a8558b9198e2f44d866ec7b4e4423
SHA256a650f7cdd81b16a4db805e79a5fafae8f486f7399271c6eda2469051de55195c
SHA51278db854ca4a4932e1b7d626473f34de2068bbd0e44577ee4a6085d5a8483b069f63bd857fbc073cac261d3bbf87f8b86761aed6c403b9264c44fe627b9dc56ea
-
Filesize
40B
MD595c33cc1969930fefbdb95f99b2a9882
SHA1cd2cd226b2c6f6de0bb090f9ffadb8e643a23970
SHA25653b715becb7434a9ec7cebf218a7397d5c30fb50f6d3ac578728024f00ba194e
SHA512c5992c3d6c1d20ed54d7e8cee2d3ac42d929812b770ae770881b4d09475b23cdd5afb323f401ca81bee5566f09638581f8e86b717bfdaf11596e7398978070d6
-
Filesize
1.3MB
MD5c3cab48d83769795a8e49bab53e3c93b
SHA14711ce9502b15c4630156671ebd8dfaa14059a2a
SHA2566cabbfba82054ffb592007c47e8d89d988a520258c5fe7b2bad4e4214f0e3e41
SHA51259b772b3a719d0245a4e45a0596a1ceca6409ed9ca31e6ebc8a2193c0fdc9b62f93dda68f00f1458ea07752761669a9fca5610f7e2b58e2040fd1c299d9d95dd