Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 18:04
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe
Resource
win7-20240419-en
General
-
Target
2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe
-
Size
5.5MB
-
MD5
5deb16c0c5563ee0bed2a4f21396fd76
-
SHA1
ce5da88349ff4df127f0abd5df717ea9643a151d
-
SHA256
6a846f755824e9341bb57ce370bd36adfcb979c3b530d77c4da6a97bbcd0788b
-
SHA512
01d9ac653659a53d1a6f25fa3271699f8a2d79ad5a914ad28b96fae0e2113dc432f391574ab7a7cdcdc0fc86c1095ea120bafa720d3db4631246f0c51815782b
-
SSDEEP
49152:kEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfd:CAI5pAdVJn9tbnR1VgBVmzKYpfg
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1744 alg.exe 3616 DiagnosticsHub.StandardCollector.Service.exe 2816 fxssvc.exe 2788 elevation_service.exe 4876 elevation_service.exe 736 maintenanceservice.exe 2192 msdtc.exe 4180 OSE.EXE 812 PerceptionSimulationService.exe 1712 perfhost.exe 2964 locator.exe 5208 SensorDataService.exe 5340 snmptrap.exe 5456 spectrum.exe 5920 ssh-agent.exe 5356 TieringEngineService.exe 5556 AgentService.exe 4768 vds.exe 5564 vssvc.exe 5860 wbengine.exe 5844 WmiApSrv.exe 6020 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 25 IoCs
description ioc Process File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\c806b18bb3e2edcd.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008bbc13f329bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e65aeee29bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001dbc02ee29bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001da900f329bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d89dacf029bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c0b5df129bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 832 chrome.exe 832 chrome.exe 6152 chrome.exe 6152 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4664 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe Token: SeTakeOwnershipPrivilege 5036 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe Token: SeAuditPrivilege 2816 fxssvc.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeRestorePrivilege 5356 TieringEngineService.exe Token: SeManageVolumePrivilege 5356 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5556 AgentService.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeBackupPrivilege 5564 vssvc.exe Token: SeRestorePrivilege 5564 vssvc.exe Token: SeAuditPrivilege 5564 vssvc.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeBackupPrivilege 5860 wbengine.exe Token: SeRestorePrivilege 5860 wbengine.exe Token: SeSecurityPrivilege 5860 wbengine.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: 33 6020 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 6020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6020 SearchIndexer.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 832 chrome.exe 832 chrome.exe 832 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4664 wrote to memory of 5036 4664 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe 91 PID 4664 wrote to memory of 5036 4664 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe 91 PID 4664 wrote to memory of 832 4664 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe 93 PID 4664 wrote to memory of 832 4664 2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe 93 PID 832 wrote to memory of 4268 832 chrome.exe 94 PID 832 wrote to memory of 4268 832 chrome.exe 94 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 4620 832 chrome.exe 100 PID 832 wrote to memory of 5080 832 chrome.exe 101 PID 832 wrote to memory of 5080 832 chrome.exe 101 PID 832 wrote to memory of 764 832 chrome.exe 102 PID 832 wrote to memory of 764 832 chrome.exe 102 PID 832 wrote to memory of 764 832 chrome.exe 102 PID 832 wrote to memory of 764 832 chrome.exe 102 PID 832 wrote to memory of 764 832 chrome.exe 102 PID 832 wrote to memory of 764 832 chrome.exe 102 PID 832 wrote to memory of 764 832 chrome.exe 102 PID 832 wrote to memory of 764 832 chrome.exe 102 PID 832 wrote to memory of 764 832 chrome.exe 102 PID 832 wrote to memory of 764 832 chrome.exe 102 PID 832 wrote to memory of 764 832 chrome.exe 102 PID 832 wrote to memory of 764 832 chrome.exe 102 PID 832 wrote to memory of 764 832 chrome.exe 102 PID 832 wrote to memory of 764 832 chrome.exe 102 PID 832 wrote to memory of 764 832 chrome.exe 102 PID 832 wrote to memory of 764 832 chrome.exe 102 PID 832 wrote to memory of 764 832 chrome.exe 102 PID 832 wrote to memory of 764 832 chrome.exe 102 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-11_5deb16c0c5563ee0bed2a4f21396fd76_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb2a39758,0x7ffcb2a39768,0x7ffcb2a397783⤵PID:4268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1912,i,4968443650358771862,13398077307134956821,131072 /prefetch:23⤵PID:4620
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1912,i,4968443650358771862,13398077307134956821,131072 /prefetch:83⤵PID:5080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2268 --field-trial-handle=1912,i,4968443650358771862,13398077307134956821,131072 /prefetch:83⤵PID:764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1912,i,4968443650358771862,13398077307134956821,131072 /prefetch:13⤵PID:4168
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1912,i,4968443650358771862,13398077307134956821,131072 /prefetch:13⤵PID:1132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=1912,i,4968443650358771862,13398077307134956821,131072 /prefetch:83⤵PID:3904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4832 --field-trial-handle=1912,i,4968443650358771862,13398077307134956821,131072 /prefetch:13⤵PID:1696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3872 --field-trial-handle=1912,i,4968443650358771862,13398077307134956821,131072 /prefetch:83⤵PID:2596
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4972 --field-trial-handle=1912,i,4968443650358771862,13398077307134956821,131072 /prefetch:83⤵PID:3700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1912,i,4968443650358771862,13398077307134956821,131072 /prefetch:83⤵PID:2976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4704 --field-trial-handle=1912,i,4968443650358771862,13398077307134956821,131072 /prefetch:83⤵PID:1680
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:5244
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff611e87688,0x7ff611e87698,0x7ff611e876a84⤵PID:5280
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵PID:5332
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x228,0x244,0x7ff611e87688,0x7ff611e87698,0x7ff611e876a85⤵PID:5372
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 --field-trial-handle=1912,i,4968443650358771862,13398077307134956821,131072 /prefetch:83⤵PID:5472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5572 --field-trial-handle=1912,i,4968443650358771862,13398077307134956821,131072 /prefetch:83⤵PID:5480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5224 --field-trial-handle=1912,i,4968443650358771862,13398077307134956821,131072 /prefetch:83⤵PID:5584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5104 --field-trial-handle=1912,i,4968443650358771862,13398077307134956821,131072 /prefetch:83⤵PID:5140
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5180 --field-trial-handle=1912,i,4968443650358771862,13398077307134956821,131072 /prefetch:13⤵PID:6328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4076 --field-trial-handle=1912,i,4968443650358771862,13398077307134956821,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:6152
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:1744
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3616
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4476
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2788
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4876
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:736
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2192
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4180
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:812
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1712
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2964
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5208
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5340
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5456
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5920
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5128
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5356
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5556
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4768
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5564
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5860
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5844
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6020 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5928
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:5524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4252 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵PID:7104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5d36200a4f50bfa924c83644616857726
SHA1bf438a12a1d3fc4cdb1447bb462d4fbc53577228
SHA2563859dc0a4d05b1a08ffa8f90392c273b6f389e1e8897b49e891cf5f6f219f222
SHA5128341cd44c50526132920a8d659b1d54445ee5485859195ad99495541f9aa9eb62da9029a2289fdad0bde6091a32d8afa2304a0c52567fcf1f47a8c67dc319963
-
Filesize
781KB
MD55bba7f14e17c1611606dc638abcea102
SHA1dbe5b2df9f68b9cfed48e9800f9b53fcfb2ed2b6
SHA256ab8d91546cc23aa52d948efae3664cd154a68a58dd906ee89053e8e71aa34867
SHA512924c35c25b99d5b9c217d906f4158dc77752dda28ec23ee261d9d9d87508cd1396f78cc4068bc341ba40d44eb41bfc8172de4690ed538916255eb1c68957c0af
-
Filesize
805KB
MD5a8fab0a30d4537f1ab92f730eb99df49
SHA15c4896e6a0fff5390e2f0b459181f39af935510d
SHA256d42febdea8bb1066fc47f76441eead9527c111f922a742640accf795e0656753
SHA512012ddf03577f0c6c502aa079c1ad89581ed59ce88b3b94a9ae22d3f6cfbe7c10fd770644b25cd3ae3685eee4700e0a6d8326e91fb61dbf4b825063f5f43b4c7c
-
Filesize
2.1MB
MD5711f0c38a0a74aa8730dd5e1fd723f14
SHA1dc6c3ecf9dc37504654dbc1704c8b2388828f5a7
SHA2560de4901ac380f0c45827a8c1d92034bf4752e53ba4d25f8ae67a0235a9e158ec
SHA512583f7cf91341de8af75e9c20c2fe0a7fa86569f6ec5b10231dac3136f2bdd133cd37f110ee53dafe11adc933c9f60dc7890e5ccb90479ff4da602e936fee839a
-
Filesize
273KB
MD5e0f4b04374dca379298d5faca32813e3
SHA1cf133620f4aff1b1b00f273c261ab39f4734b91b
SHA256d1910fca86c191fe919594ed11c244a074b5dbb087ba271bc2803ae663ed4a57
SHA512f3bcd3c7b1cb3873b045dba5cb2c19bf56bdc795a96961732c9cfb89cc8aacd914c78abe12a43f06db6f2e7e8ff2fbaf684feb2e67594e8433fd4be0d8b3375c
-
Filesize
40B
MD585cfc13b6779a099d53221876df3b9e0
SHA108becf601c986c2e9f979f9143bbbcb7b48540ed
SHA256bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3
SHA512b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
1KB
MD5c3a449343551aba6ed4fc487c5148428
SHA1a508ce537fcf8926b72d53bca968b6ae7d0de774
SHA256199b54a27bdaa9e42c3b440ffc6ca74a4f84c532a57d03474a8e0724f38207ac
SHA512d7417cbc2b75dabbf0ab002753a2df0bbd303b752df91a0e157791b6737c00bea2313d2e6c6e0748b3d412a21cc7c3b46998f2996059db5911c28a0183681d86
-
Filesize
369B
MD5902088eb0cd7794403a58c6706f9336a
SHA1b037d889fe215b4ba85fa32629271d4a8f85c78b
SHA256f6a398bcff3afc4e101b4741e2325bedf4d47229bc562efa3ed63c18306ef718
SHA512a271e074565bd65153ac483f9f0f7a69d9393c34e2158d468cf9332ee10062ea74c44fc203f89435fccce2d953e85a19f2d11ec3ee33bd5559853e759b2174bc
-
Filesize
5KB
MD5a546abe7b70db95dff4a02cfcece199a
SHA1c2f257073fa6f46f85464fd5fb6d7a1eecfa5a0a
SHA2566656308cebcbed94e57204669ad4c0196a863794f83d8a492428f1fe25076566
SHA512dcd10a536acbaa3190989c2b7ecffe817d4e97b4fe91d37b9c06c7b21d54240935947a1fad322e868a435d3c0860e0d56c5bacc6c4bb244bbdb35ff18947bd5a
-
Filesize
4KB
MD567d76cf517c5a4a1c141c2f7f22692a4
SHA11b493a26239abf17ae31670d04b09024b1f836d2
SHA25611dedadf11db502e683985a19f6095c05378fa101291197638d960bb8e458776
SHA5121333dab38bb91099ce834ad7c4e86686ce33966b8508f1ee3f5a02978650cd00071fcf3fdb1fc932f99aea3ef09b4622186575409933780723eb9e3c06fc99da
-
Filesize
4KB
MD5ade5b0d102e9caae5dda20b4f3232afa
SHA17be2c33fcf8384a1191ebed9de68670295bb6ee1
SHA256e780fa4a1fe8f168e126692efc7e3142b2a6596e82a026bc53ede71f3af9ef60
SHA51251a56803329cd6e5eae4ac31d4bd77d3b6475c6ee420ffb31979bc3f6bc8b6486303d831ef3234af1c183f9fc250093d2ab24a4ca4e9b4fe175749c765457535
-
Filesize
4KB
MD58ce298dcbb854e9ef14bff16de9a4c58
SHA19b0a486b43d6294770fc1ce646ecbceb10ba7c60
SHA256b205888393bbc42c1bf250fd6660b6f206a97e8cfa57470fc09a4501fa0b8908
SHA512190ee2fd6dd0977eebf0d97f79399f72d1a0dbed61edeb561e0add99be8050907f654a7c0550bb9ffb541c1293ff0aee496f5915cde6750edcaf632eb08eefa3
-
Filesize
2KB
MD504695aadffdaf28b5be826d27d48721a
SHA1ce79df7c80926a86b0e1a922a05bcab16c7620c4
SHA2560bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51
SHA512aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54
-
Filesize
10KB
MD5554993cec73876481e20a8c78df5cdb4
SHA19b09b8403053cce43440968c9589b20c649c4e49
SHA2565d5804833bab56c9a840f92cd6650d7b7822597e7d47ba7f49d4e33a791b456a
SHA51212e15b6a4ecff61d4456fc7065b5ae861ad5d964cbea2baba47a4677f590c6d773e023a0160d94fead4981ecc552642f3e4f04e9a28c04b335bbf6c7d08fdf42
-
Filesize
13KB
MD53ba37cf50dd05258cd82f8dac8bffa4e
SHA11123ba80afbe95180f2beba8b81942e93dcebd67
SHA2566232e3b5193822a529c017d015e1c32f79fb218c5af772135241512f6a7db3df
SHA512590aedaa4b919a0f671e6ede46a57bc0fa3c364ee788fa5643312ffd438593a2131ebdbb74c8f24970d9bd43ae1cc9ca7867763ce22cb37a5c6a76e984bc3a4f
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
4KB
MD5e74db6d8b819a2d6933d8415aee1c91f
SHA186aa2fc6878941d9473d6267156d2df1ed6ccef7
SHA25679e5ec81ac033fff3b16d2682d3ccea74e12b13d7e56d6547f4c8880f058d303
SHA51256f592f5452cef5131e0d0795b4265eef33ae09dbbcdb05eda9936ea21c0c04c6b3e32b98618b099ee74abf9c3baa13146ea136c6f5acd0fb1c7d320fff71512
-
Filesize
6KB
MD54f05e1a10866a595182c50a02a50d2ce
SHA13bb7dbdf50cbf60213f8c2b5e135eb57c7bb6110
SHA25667cee2110c0bcb6187d98b60ce7595c59055860ffdf4cd61c53eb96eebd793e1
SHA512072043169bb233aa3b44bd9c5ea57f36e6d6a08d929140a86864c55e901bdfb40f1b53f00b30a00cebd9e96546a48ed4ee7caff0e1b51e56194f125a43193287
-
Filesize
88KB
MD52cc86b681f2cd1d9f095584fd3153a61
SHA12a0ac7262fb88908a453bc125c5c3fc72b8d490e
SHA256d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c
SHA51214ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
12KB
MD58c83af5474d671b9172e3fed0f5c99b2
SHA1c27ae5237c673e29d0ba90dcd93e8eaf883e5988
SHA25641af5df3eb09b6414e92079d5e9063ebc5a60352e39934eb59504d9912e351ed
SHA51274d3d006318d24f2165cc1501a4ec2137d7a70a887ae1be30e5e5f48ea4239a93061033ecb09d2d2c3d4ef7a5790646316ff86e0c70967d9fd3c1d832aac5df4
-
Filesize
588KB
MD557b9956cd033d8739763915f1bedc169
SHA1359b9d114c964439362808286b66b8b8ca608587
SHA256f775c24ae12d840e16128771d25b061b874d181d900e32903e4f24fff49849c8
SHA5128f0934ab5ac464b1dffeb7a7ce31eebe63a1855092e5c0695ff01688c421484d2136c06a9e6d37c04182512ff44bc89d8a8ec0ddd7ccae32b9dccc7f62d99500
-
Filesize
1.7MB
MD54e15ac060443fbdcd81fe7392c392b01
SHA1194fe10ea1b4fb6aeae053fa6cd6cff0b70f6161
SHA2569b5de8180b4d99092b7bff174f7e0814fdd02c8fc02fe932bbb9f8a62db8ed52
SHA51276c395b8f0ae23c7b646f8109a09707ba6d1337ffde217b5eb44bb7616cb1f0f572dbbcd00c10753b61f7fc1cba7b5df8868a6191fafb6757492b8db1bbc99e4
-
Filesize
659KB
MD5b34a969c9a220119097c82328c8b8643
SHA138b76d73f7dbffa82e81519f0120e393f7217b34
SHA25668582060a0511e727a9d985e9f3d4ea69c705e1c875ffb5192744e1bd57c716e
SHA5125258b3191e724f7fd6dc4b4926e138b201ec3243b9bf0e361525c15182fe28f25a5c03e3effe0b597751b1312369523159e3a5f16d188c918d0ee8a404e626b6
-
Filesize
1.2MB
MD5371f156e819d032386f449bf0e017ec4
SHA10f0463750a248cc5312db48b85555e067bf57098
SHA256d9e8dda0eb84cb63749da25cf6ee552992ac0ff7b82187da38a0b0e6555d414e
SHA512529c85e48da40870ff8aec6930b4b719aeac0f1ba5c4090197e4043fe10189b3882daa27834b23bb4ed070c5983903f02441dc7a4d82120e4b7e2def27589468
-
Filesize
578KB
MD5b697b63c46d0448730dde8356229cdaf
SHA1ab84f43571a6bcb2a53c1b54668e2ed57f1fe7a8
SHA2569c18180f0fe0e248b21ea12ef38fde7bceb4b5cf696abda00066ad3148aeb402
SHA512fb4ec445302a4d5a19bd448b19c1c13f7ca9797e63ab7ccae3e020dae205c889d7eeaa958706b7e08a37f7302c0edc38b00543e9a029ba8d13c3af338504025b
-
Filesize
940KB
MD50fd046898db28d2a68500ad1eb1d586c
SHA14cf443b1add450404e4f30158539b8bdaf1f946b
SHA256aa1adba2d4feaeb1e1d60957af776b3197a34e27f113f9de9728ac869e3180bb
SHA512244e48d90035cb6d5d45ecb604331ffac6be0685bac43c432dd01834a1e24d7ab4389a84fc71b2a25aa6bb62db2db0a1c088ec27ecb9a54e66ceb647f1bc6640
-
Filesize
671KB
MD5e91a76f925c9add49e84293775a99c84
SHA10868e92401259ba21e727fece0cbe1a8c466c78b
SHA256f2cefd68cf8a7d5eb7ac5f03c3da66ca455bb962f6680067d7b1940382e387a5
SHA512dd073ae56b703f7b4185869c2dabcff94a2a9149542b1ab6368f7c4da8191e39e5d215e2a5409e86874ca176125ff3067fd34b024c4daf8633e26418f6cdd563
-
Filesize
1.4MB
MD5c220d3a76baa872f3f75845b253a3acd
SHA1c08454d4f4525c6bdd3db58fc9c75b686ab562c0
SHA256f3423e58bbfe7cf167b645b41e2c9eadc11fb193e1bbb49c2703eb470fd787f3
SHA512dbacfdce1d308754b03b1477298a27cb6747c447055559de227eec316f280eba1d2896d84ac6894f42b24cfe6e3d9390e6fd3541a12b12d86713fdc97589ff0c
-
Filesize
1.8MB
MD51ff08a58124b2a9a279724e17aedbcfd
SHA1f1126eb62e6ee7a2a1bf7f44abfcef2b1c9dd582
SHA256a1ac7e4405bd89d76f1994c7364cd9e80c9545e0ceaf5023aa17f2be5850a22c
SHA512ee3ac1bfafee74fc6285edd2cdcb3b914cd00984a121397d97fb1f4cd1bb767621b31df6b1df21c6bf6fd2cfef08d9b1789e6fcd9dfd0192cd0042787af3c9c0
-
Filesize
1.4MB
MD595c38858c09dab077f0fa1b39ace53ac
SHA11d9af00efc89b3d87f45042a751a3f660592661d
SHA25676f59ef3dcb20359897ceff7b034cbce169f3cf866b26e91a2b8a1687169225c
SHA512b449c660d09a1614be7b3add1e5d5a582a0946a2415946e9e9d2356d5e6ced26673155301d562b6f8b012fe8f5c2dd0bcde914a298615d312a8cef2fe3d46fba
-
Filesize
885KB
MD5acc0145c34055bdf18bea8003071280b
SHA15e4bfeb00ffc34b45cc1d994767dbb11351c97c9
SHA25623715ea5b56f3d877d6b1a870488d94bbb6338fe56598a6ccb15649643d0d0df
SHA5127087f57d4be6a0d9286bbb9bc91068ee8e7845add6d197be691626c9faebf29e3d12abd62c5088b7fc2640e8bab4552d52594da0ccffb9a75fca1f32d45d40cd
-
Filesize
2.0MB
MD578bb5e7d794665d99c2284b64ecfa1db
SHA1fae30951bbf777d2d917b2f06ef84d8c3470002a
SHA2565dd8cb912a39be78c39fcbcc737e8dfdce796e0898da93a0c4bcea8cda1dde3a
SHA5129d1f23db9265ec6f46e2d66044512bbc8b962209b968d732d7a6ed1a17a6fa2b3a70e252ae3ecec94755a5b8215fe4e6345dc4aff5ceae1bf32f8c5058891f2f
-
Filesize
661KB
MD5f6ee4b1130ce810b3f5ab4fd9f30ae3a
SHA1126d920be4e2089b8fc585a7241e4de16f85d07f
SHA25641e475e759eabe1147f8c7accf4dedf83373c6f3387cbed5285bdee4b6338c4a
SHA5125c338803db8f788c3d7ddad0284f66662e306a254405039f8742d7acbbb1dc4a8dc34a2a83ec6e77e7887ddd882987371ba473a5c0b4d14619245ee27ecf9449
-
Filesize
712KB
MD5d2cd9eb104fb632a89848b9badcbd975
SHA14892409f685c3640e082e43b8bc0ae25e7fc7d85
SHA256cfd902344f46525b72668141ef170f61afcf77b3c07f1ddc3409ea6ccbc79206
SHA512ab29cb5bc5eb850d983f47252ae0d4cc66f4159b13f0886c9ae05b6b8f8a0975e053c36a520029999c54536b50c9ffe25123b60ec6eb4d9972ef20c42ec89329
-
Filesize
584KB
MD55c64189a76cf3789d23ee7ba459549c5
SHA1731080be3158555ba79c008c705617241ee47a21
SHA256acb8b742a283498ef322a524499fbdf529e4d0a430505d1afad45e7022759cc3
SHA5126e84b138ee4dc164c676d4ded8f0b86c9ea7f8845956446d00ad2f120bb52ad2cde749f50593f0775fb482832fe99dbc28b5e01e78d5249d10f0871e4e9e73e4
-
Filesize
1.3MB
MD5bf7a8342a2ccaedcb75bc2cf150eec25
SHA1141286ea7cde103a50d02f8ed0bdde3f13625dd7
SHA256846db82a11e2812e30769469ce7be820cfe7edf5b8fee5eb98981dabfd22405c
SHA51235e55583c7ebe01a0ee0cb524ca669393ed5b4667cc3249f244a701801f1aecdd3e470333942783c77ab27f6f10b990d97809fb789445ae5939accbce51c039d
-
Filesize
772KB
MD500e145b6f5d97c536a7465928d977384
SHA10b4343bb529082890e94b15f66826583c763f442
SHA2562108f2f1785e70d6a81fb15f8c11163bac9a61c96c60dab13cd9c66a1304d49a
SHA512fc1597390a87560d19a065e7b239a6870e7cdab12da851fb8096508dbdc7fef7b42ac679fad443cef11068993913e152d976a4d939e97e4f5f08e6a383164b66
-
Filesize
2.1MB
MD563e9a7b18a1a2f02e3b44f9dcdb01806
SHA13ae9bb7d7793845ea19109f22bd5e195a3c7b060
SHA256ac6c98bbed71bcaa670c79c2b4aad4b86be309033da0f44ed15d441ea5a8dbba
SHA512aabdd16edd29c0f2dd7b4a811e0859ad0b9d9e6a981c3f7182b28d1966b9c16e6f0dd929f3344d1c88ce31eacadee35182c24093509c9a53111a344f089a0265
-
Filesize
40B
MD50e1a0df5323f02fa141b11070035f203
SHA14662c48107aebe02429f78dc0ab4328f88ea9e8f
SHA256169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7
SHA5125ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5