Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 18:54
Static task
static1
General
-
Target
2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe
-
Size
4.6MB
-
MD5
59595140fac5c8843848b8da7033bcc3
-
SHA1
caa674ba8880177c62ed6efa52aa62fa827039cd
-
SHA256
145684687243b6f62d35148924eb28025cc5b8eb4146299c4682899c846e993b
-
SHA512
03894a70216777179406a5aa4edfe6098716dff9826832c11d1788922743cf2a8a128b9a00a2aecd963cc6aa46708e57b74b7d9f3ddc9db2a5a137e5374ef7ad
-
SSDEEP
49152:cndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGE:22D8siFIIm3Gob5iErhG/2o3p8
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2192 alg.exe 4708 DiagnosticsHub.StandardCollector.Service.exe 1604 fxssvc.exe 4556 elevation_service.exe 1092 elevation_service.exe 3920 maintenanceservice.exe 2372 msdtc.exe 4128 OSE.EXE 976 PerceptionSimulationService.exe 4448 perfhost.exe 4788 locator.exe 4296 SensorDataService.exe 2540 snmptrap.exe 3116 spectrum.exe 3360 ssh-agent.exe 4060 TieringEngineService.exe 5004 AgentService.exe 3048 vds.exe 4652 vssvc.exe 5172 wbengine.exe 5416 WmiApSrv.exe 5684 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\948dd73d92be0f3e.bin alg.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\java.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaw.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006563edd630bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e503add630bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af7c84d630bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626056737735674" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000136274d030bcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f4d80d030bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e96790d630bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e83ce6d630bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000197ba3d630bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 4456 chrome.exe 4456 chrome.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 2816 chrome.exe 2816 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4456 chrome.exe 4456 chrome.exe 4456 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4736 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe Token: SeTakeOwnershipPrivilege 4480 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe Token: SeAuditPrivilege 1604 fxssvc.exe Token: SeShutdownPrivilege 4456 chrome.exe Token: SeCreatePagefilePrivilege 4456 chrome.exe Token: SeShutdownPrivilege 4456 chrome.exe Token: SeCreatePagefilePrivilege 4456 chrome.exe Token: SeShutdownPrivilege 4456 chrome.exe Token: SeCreatePagefilePrivilege 4456 chrome.exe Token: SeRestorePrivilege 4060 TieringEngineService.exe Token: SeManageVolumePrivilege 4060 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5004 AgentService.exe Token: SeBackupPrivilege 4652 vssvc.exe Token: SeRestorePrivilege 4652 vssvc.exe Token: SeAuditPrivilege 4652 vssvc.exe Token: SeBackupPrivilege 5172 wbengine.exe Token: SeRestorePrivilege 5172 wbengine.exe Token: SeSecurityPrivilege 5172 wbengine.exe Token: SeShutdownPrivilege 4456 chrome.exe Token: SeCreatePagefilePrivilege 4456 chrome.exe Token: 33 5684 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5684 SearchIndexer.exe Token: SeShutdownPrivilege 4456 chrome.exe Token: SeCreatePagefilePrivilege 4456 chrome.exe Token: SeShutdownPrivilege 4456 chrome.exe Token: SeCreatePagefilePrivilege 4456 chrome.exe Token: SeShutdownPrivilege 4456 chrome.exe Token: SeCreatePagefilePrivilege 4456 chrome.exe Token: SeShutdownPrivilege 4456 chrome.exe Token: SeCreatePagefilePrivilege 4456 chrome.exe Token: SeShutdownPrivilege 4456 chrome.exe Token: SeCreatePagefilePrivilege 4456 chrome.exe Token: SeShutdownPrivilege 4456 chrome.exe Token: SeCreatePagefilePrivilege 4456 chrome.exe Token: SeShutdownPrivilege 4456 chrome.exe Token: SeCreatePagefilePrivilege 4456 chrome.exe Token: SeShutdownPrivilege 4456 chrome.exe Token: SeCreatePagefilePrivilege 4456 chrome.exe Token: SeShutdownPrivilege 4456 chrome.exe Token: SeCreatePagefilePrivilege 4456 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4456 chrome.exe 4456 chrome.exe 4456 chrome.exe 5604 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4736 wrote to memory of 4480 4736 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 82 PID 4736 wrote to memory of 4480 4736 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 82 PID 4736 wrote to memory of 4456 4736 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 83 PID 4736 wrote to memory of 4456 4736 2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe 83 PID 4456 wrote to memory of 4852 4456 chrome.exe 84 PID 4456 wrote to memory of 4852 4456 chrome.exe 84 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 1060 4456 chrome.exe 91 PID 4456 wrote to memory of 3416 4456 chrome.exe 93 PID 4456 wrote to memory of 3416 4456 chrome.exe 93 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 PID 4456 wrote to memory of 740 4456 chrome.exe 94 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x29c,0x258,0x264,0x2a0,0x2c8,0x1403796b8,0x1403796c4,0x1403796d02⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa650ab58,0x7ffaa650ab68,0x7ffaa650ab783⤵PID:4852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:23⤵PID:1060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:83⤵PID:3416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2112 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:83⤵PID:740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:13⤵PID:2068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:13⤵PID:2692
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4388 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:13⤵PID:4304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3924 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:83⤵PID:3444
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:83⤵PID:2064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4152 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:83⤵PID:2996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4608 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:83⤵PID:5128
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:5352
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff64626ae48,0x7ff64626ae58,0x7ff64626ae684⤵PID:5444
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5604 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff64626ae48,0x7ff64626ae58,0x7ff64626ae685⤵PID:5624
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:83⤵PID:5428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1576 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2816
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2192
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4708
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3632
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4556
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1092
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3920
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2372
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4128
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:976
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4448
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4788
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4296
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2540
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3116
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4988
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4060
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3048
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4652
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5172
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5416
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5684 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5764
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:6120
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:5128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD51658a2c14715ccfe22d21fc1b69ee9da
SHA149ce3e35d99367c32fcfbb7b2cfd34f6269c966f
SHA2565d53868cde867db24987b2ee7bf082f1928766a3f89b03344143c410936cfaf7
SHA512ec46a814c5576582db05406034da0a3f0c948f6ae60d705881bc97fc12b5f7af01e43bea1c645af6b1c2db30826ffa3ca67bb04d496d14e85bcca37db87ac748
-
Filesize
1.6MB
MD5ae00a7a33bd5f05efb4bf8745a4bd99f
SHA16bba846e3be2c9ff0fe9c2dc71e0c2dc373b1d68
SHA256594e33a705634090dd7bf5a6204b5aafe2fe91a93f9e969c15cdc8fae163dd43
SHA512c8de75c2b1dfaca49ebf72af79027862584e03972b3b2102db4c9fea7f9ec7fb878e7984d0b537ca1e386e4532a5f9ec32a510ebf722061e505c29b162ca3731
-
Filesize
1.9MB
MD59a5e6eb28dd1fc8afcc4ba7369e93e64
SHA1bab8803a265185abe4e1ff51e6c75ddf3f0a1c40
SHA25655f60e4e05a162449d040e0027167bcd5d09759b4f040f148ef77aa627386f8f
SHA512cd4f9cebcc781d5374fca139b2bf4603ab536472a257af75d10d2d32517c39989db44e76f2898f9e3503a318aa6a80c6e79bbf1962853d248feda4dc806eb693
-
Filesize
1.5MB
MD5238ad58a568a63a27c88bfe6e9586bf5
SHA18f7be4f9c86caa7fc720d70c34cae0ae415a63dd
SHA25617020ec45a3b548432e7f70fd2ad5a5371d375f4523f864628a41b8f37a6fa55
SHA5125277d6634f6ce44649863ff2b2809a82edd3a1b98a2f010a776bdd43e9abab07f36bb0cf64988e64a8151a0e6ede1581702f6b28be0d5fa4dcb5cd7ea60d6901
-
Filesize
1.2MB
MD5fba898d2f895288810adc7731c7a09e0
SHA188b3727a6a0c3ea2dfe85e967ae992697c16e56d
SHA25643106924a9cf834fac6216b3f395ff30fe31dcd30eedb5deea7515f802de93db
SHA512ca3fcbc0801e26709c31178576fc8ad6820fdb7bd61c406a54bf38aad39115f27fdca118bfb711e5e074be1cac91a7a0cdb53543bafa1099ea76ae1f0ef64a6c
-
Filesize
1.4MB
MD58a8579e7fd0e56c401c2700b00b8e9fa
SHA17e1cdc0a2dfed3f4df7b0ffc98808036f0ca2762
SHA256867c0b1eb03a8390632c206321ac07e0f1baa7304f7e2f28678effd1bd5ff69d
SHA5125fabf89e9f35d3a3f8b1b079989f9ea27f3ae037006799e7458625406df952c4a94e275e2a4295ad4c7cf414e116367fb894d1a9c72d21ce7eb84e14dd1d8ff2
-
Filesize
1.6MB
MD567693c2dc6cf6c3409aea5382823b61f
SHA1062574ed6a3fca2871db2f3e27d5b4bd9d67b9b5
SHA256ee7ea0c41349b853e012641fc33ccea0aeff34b119a2d66abaf29ef039205988
SHA51238c16954b542c4c23f087c5a9f3404705b7b58fdaa61f846fb3218aac978257fdfabefa0443f1fc7cd4ed4c63ad4a617754fe7839557bd5f362d028cf23a7b4b
-
Filesize
4.6MB
MD5425509d32fe60381f0fe9f46e2cb0b95
SHA1988bcac64a99498fe6b8107fbc460e33d5cc231e
SHA256849de456b1f3447a8ebaf19d599773e5e74da9385b6bcde626b0b84b7a64f182
SHA512aa3bf889030cb1a92bca5fa8453b3324df5813d8455d2b569ca9822ed38b038881ff1946e06f563cbcb41de6c961de66115332a79e57dbeae828d8a928126986
-
Filesize
1.7MB
MD53fbe817bb20c10696c81eaf21d0c1cac
SHA1f1d027d578206996d92f65e2cd992dc0e2102c95
SHA256b708edd20546bf53959a21bc9052ac7b4200d6d93aa359adea148f37556b94f6
SHA51297b350f8e7abe9ff1d728168d5ddb40fac4d06de9168b8c1b142ded4760c82789dc96abac9491840e40478760082df5d36953cf1ecd68ffbae3574d7d68378dd
-
Filesize
24.0MB
MD5530c86293b1615f16fc33d4ab977de80
SHA1966d470dee5cbe831c29523a4c7d95295d366c64
SHA2568edf03c709ec33b14dc05a76ee0254abc7a9dccc37c6e07e722b14046c574bf3
SHA512e1e6b5bdd8593bffd726230d7585917bf8d4b01ca56ea5f1b4549024986add3b550a1443d604357cd434b3cb20be2851ba629cfaefe220c99df1b218d8d365f3
-
Filesize
2.7MB
MD5968c67c4517c16decbea5f992e70126b
SHA1d34330bb184f2147b0963a4ca39913f99deb88de
SHA256ec49c8889abfb6cf7c5197e339e132e812491290c85774787247bc2d818124ea
SHA512cc92806fb0c1aa30e0b83e4dbca167826b35ef6d8995bc5649996cbe7a5ce59392bcd0d4358c1d0a8b670d2311382bf0f96e10ca4ac0ac17a85b8664be147012
-
Filesize
1.1MB
MD55cb7159c33d0fef6808b3018419cfc40
SHA18b8c12ca3af6e4c5a6892286e3fc1034ccad9c1a
SHA2565b184532d21bb288e712c96f18113498b44c42e2cf69874a7a9bee3573b3aeaf
SHA5128384890dde7a60e9bc19d8aba488f2b93951e1c6715bbabf5c2ca8f4e1e8d4a2ade423aabbae9b7c472ddc8ad1c0d825db24997f89fce1b2b8803cf5b5010186
-
Filesize
1.6MB
MD5ee3f15fdf268c392ee127c74a1f723ae
SHA14581d4a686fabe95553a1d156edd24a3cfe17a49
SHA256cf353b226d39b283937dd1a0adaeada23f1684351d5c5a58909a5a41336d1941
SHA5123e884cea39de9a19496cad55fdf5b6d0bd41727b1aad985a98bc834ece0a05d61e2973d6deb73d2ed5b47dc885740e31d18847b7a35aad98237d6981c6f6f835
-
Filesize
1.5MB
MD535ae245d705cfc6486a4355344f5c8d7
SHA1a71e2dafe4c555f8923f3f20ba1e12301d63dff4
SHA25698ba10791ef3b8f2feac82c58f4c4fa4c3db7f748735f47c9ef285585b38b26c
SHA51221f0dd7fd00d4b557c1cab84180b38b9bb372949db1090ad5fa155f42df56c2c78a7ef61005547ea7d213b6646804660ece1a486da420dd3256ac9877f0e2330
-
Filesize
5.4MB
MD58f9b4ea5164d965edcb5b85c242aeb2f
SHA198264732fadcb3967fc5b4890a6e671ee869eaa3
SHA256d0712e511c216b79a3d77f5a79470434a6b0b459843941205c063e13d414ae24
SHA5121aa1b6ec5650487be52d3c8000bdd266b8a05f4111a1e1bb70af327da9fb4637e05f7bc513576afac1790afcfad53183a505b041c57847efe0945543fbf5cb0a
-
Filesize
2.0MB
MD53db6a466131153531d39ad1501cb66ac
SHA1beb3cf0c6b465e9518aa0d9e5fde97a2cc92991b
SHA256482fb1ef5e0ffdfa851fec086725a82cea2059ef1b65f55dea6727e8ce7ec414
SHA51201736bf39064f1cf376153089c2554a9428bdefd37bddbed8fdd69239c176d64a5839a4db6f62e174280e1a9e245ffdf0ebc62111d9276336ee644c8ad865952
-
Filesize
2.2MB
MD560294e18541879e8b2e15032cdefdb3c
SHA1f6a02df619cff360b6439246f470a4227b568b2e
SHA256db442ad3fcd16075298147b7ddf1a86ef8b8795777ca813618a919224d807eb4
SHA512e64f41b7a05e6a1de239905cdeb6763fc4639ffc34f73d23e0c6441b6b38c3db4520c299f9e1d907fc5a2caca2e4078d80549ca36dc80d4163ab5f811ba51594
-
Filesize
1.8MB
MD530fc62b27c14b739ff13234a6693c499
SHA1feceaf607618203dc4cd36b354af710c89441e39
SHA2563b0bc0a6bfca6f3393e0762b9cfacffc3e15e2d6d6a6c05bda0ebf6372eae430
SHA51250be4088a2a0559a31a7434bc105f4a41cb843a9b8f3491be39a756a9332e00973524d9a5b93593acf5f913df9d2b39efbfdf08424dd7c905072d4bf23a4a857
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.7MB
MD56fb393a65d1f731dc33d6701c658fd34
SHA1be8d3fc98af3e3379f118af850cf5ed47354c6cc
SHA256ae282e5b6ffe2ea1325eabf6416bcabb6c3076272515b83bb8734edcebe9395a
SHA512ef44047f6e5116ba7865fc73c6d018fed6b386a07c5e56dd11371998cfde78fb6defb4a1f955a8fffab9b825ae7b5ceaf01c572a356a641dbe3123897e00a440
-
Filesize
1.5MB
MD50dbf65bc790e7ceabd2641b224612ea8
SHA19732c37281b2a169a06131abc2d164d0ea2e1fe1
SHA2565aeb998e7d78f0ae2fc13d457acb222c026af4cd401c4f1b2c6e5265ba538b4a
SHA512f49f77c3ff482b1353dc06f79114821fa8f828e21706a63e6a7e34178329cfd87e8bd17fb1bc5225d783d228e6fc702ad10105cc1604113ae6415ed702a7ada0
-
Filesize
1.5MB
MD557eeb9b116b01876ab77cade335b889f
SHA1dfc659a45e4461b9643fe3cf833f846698eaeeb9
SHA2567168c0c45d1495bf9050fc5bcfc7ce7d044fc9a9be218e2fb5ace6abdc143ead
SHA5121c21132c0c52c0edf7429448419e555154aeedc0f7c45268c7e7e93b5e5fc974effc97127a365a4a5a90eb2a4d35f74024f3d732d988cfcd857c87fdf9fc4824
-
Filesize
40B
MD56123155f7b8a202460ac1407e231fbf4
SHA113121f6000a380f6621bcb8dc7c83f9cd10ab626
SHA256dc3766fd1d9f14e305d5483a9e886548c3ff3ad2d8497e26a04c6d8c31e7be6c
SHA512ef2e48a3517f58cf068d2ed9e202ba4d2a54afdccd4937c74b5c84d5c4fd47d9b92ddcf3b842a102b426dccae53ab3bc9e571a5cf27cb315be4dc58bdaad34cf
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6cdff3b0-3c2d-4f0b-b7f8-f6cbe43f3181.tmp
Filesize5KB
MD55e43b56a90c68ed9e121355321347d41
SHA13a4993e6bebc9954fbec67e57d5cb52457ad90f3
SHA256c08651c7925936940f848a38f70286973dbb2a9c8bf27d8cb56d0d68359043e6
SHA512d403d6625986a3198253a08cc91c5fd1cca2bc15012186e07b8cd980372dbdd96e52c4090691de35b3b75302631f69129f3ed26e8d78490dde48a0b11192d154
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD503dd9ec6829cd9e6976c93b4db78fb1c
SHA1aaf3db367decfa7a48d6b4323dd81dd84f6704a7
SHA2564e5c6279d3ae6bf4c872f2b160a5e2c8bf031d7bbd87a5f850136290d7eab35c
SHA512268571c9de2209b64bac2a196df0a34ff32d3f294b15e4757041c718c6b37ec409651a5b706bdc67b84930abb6bd544ba8db834c3b7babb8262322dba68422b6
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD5712f4a490fd4575e4526d769989aab0c
SHA1bba1f843cbd9f5ef5e76ecb6e9f5dcc64f1a861c
SHA25692d2c0cf1c80b512b5836cf78d35549ad8e45cea63afb7eabed72e1274ad7f01
SHA5120b805b1e33a4f91d9562e71fca5a1abac512f00576a65206fb5a5757ecd548bbea4b66f0c902d0c58c4da95494e6d338c1ca2643e07c9b9f6ab3a985f3978799
-
Filesize
2KB
MD580c9ece824708be3255fd46fed4fa84b
SHA16ab10396c88f4760224c2820d198207c54f01266
SHA2561f8af8464e8755fd26db7cc2bf44b59934126100a43b00a66da96ef4bac4e336
SHA512c8e8c5ce9c0607264264ceb4ccddc869543fc5b9d3929ad42904cefd147938d6523ee61e5ed2f6f46fba1e6c92f8b6dc14300f4c6c7cfb295fe3274677d9ae2d
-
Filesize
16KB
MD59e8caddcd604efd7109cb67a889bb0f0
SHA11a9f2db88e74f78374566475f316b8a7ea86c60b
SHA25649cfd2562307c7c3f921aed6a6aa6082a25915c891a4bac47f1b096a19f79c54
SHA5123498bbd13e19aed1149c5324dd0f7724c69d52861bbbfb2b29d770ca5c10aff60bc7ae87afb3c94e86ab8fe5675a28a4c1dffac82c7b6aebd0d9eb0fb0c0e937
-
Filesize
264KB
MD5dcd1f57c2b4a8f9030ad563203774a7b
SHA1b8226ac2eab4cece903618d36195d6e5b45f04b7
SHA256091abba75698b07a851b3a2c763aa65b8139573df15939f72c20bb34a7c45b4b
SHA5124fbb26e7d06b283daae4ff3ce82c4b95af0cb9b9bae2def033894c4b0628b4b326a8bac654ece3caf6c84f1dc29524d5a97c52ec4dd640679a5f4b6e1ef35416
-
Filesize
7KB
MD50396a9dc8a57c3632ce199234f3ea101
SHA12ea5c2d8cacac561c906beeed30657aa9f20d94c
SHA256d9148fad45a9e0c0db6502648e59df1a045872a55b4be54621881a497f82f6d9
SHA5123cb2854e734fec607af8f47014feacad581a824bd7f6a149cd7540d369a331f140669fb7ae4cb3707ecb5942e12edfca7dd4c32eb612f091f5bdac69fcda765a
-
Filesize
8KB
MD5414f580a6789fca2d468fa5d59c4229e
SHA14f1173c3372b9079a4225a0e308731da3632d650
SHA25696b3fa587f0dcced2d60c7060e2bdd9dee3fdd9ed684a603b13c882632bffea8
SHA5121f389f1d8f9dba9098942f0c4023ffa7227cd0d3dacfc2d5eefa72b840db68a5d8ec139b0a51116ccd54c9fd8b659a3dd15337847d4790e3d966f4c2b862d887
-
Filesize
12KB
MD5e395d52f4ad4aedb6aaacf70a9eb4bee
SHA1aae19b484cda48e6ba3ec3eed9c0bce54db7bd2c
SHA25676d75be72e5e19ca8fd242386f6612f9abbed9dfce7af4999bbc9b09766aeca1
SHA512c5c389dbb1ed8947fe574f5ab8d98f85e9aa29ee9c279a30780a66477cd94da43f588d8ebff72c93a55595fbf70c42e78bb9a9ffa1945c15bd0febed6cafdba6
-
Filesize
1.4MB
MD5115f6dedf417ee698d764718e8088a8c
SHA1cf183222d20fc35bb8dc9e8a444f4638c1e3ed27
SHA256305799fc0e7cda5612ae2651fbeed269c6ba079f75d965897a73ae3abdf6d7da
SHA5129f9d8d1aaeb1cc488b22062026d5b1f2016b55920cfe0c75ae8e5436eb904fe220fa26de559ca3218407de76682ab8c2b765a03eb45ff7ecd8babfaaa119c5f6
-
Filesize
1.7MB
MD51e6811fc711d9b1135c94002b47db837
SHA125d523a7dd8577c8b2b9474e45493846fbbe23bc
SHA256f141914ab4086dca1ef5d0ecdd05c07c42b5ff7d94af6d1b0604ceae16df4d43
SHA512ce2ae3a5261a14c03feae0612bec8704a003e8e2d91823e5e0c706e40a134ccaeff0ec677ea90548c8a7c42df4cfb6391c7b8c32a79f1edc0b6bb40bbeef1f32
-
Filesize
1.5MB
MD5b2ea0701243edc9a43185f5c5d315240
SHA11b690409fd90f44a7273c368184ab43114b1b32b
SHA256e2a95c5c4696fe90cd2148fb6aff26a1a7f023f6a8e94fc4e165aec002a8db35
SHA512ac05bf47482cfdd0ff85f9a615b36abc40089ad596fc6f7423821d64d60d033b2e02f31ac66732d08767d359318e525a5d8310391a643f3bf1c3536cfe930910
-
Filesize
1.2MB
MD59f8cdb324ab9a2bdd8a3ae8f6f0fc823
SHA16317d36a24ceea22c1ea5810eebe11413f00dd1c
SHA2569e309bd368a48f6ccd92e27280a250d981eaf9980ffe7570f7749ed1c1b30b60
SHA512cf998845764ef628cb26b809b79f83477216ca35d575b06a28e159a98dcc65f999168e6276de80baac5fcce496422d842b6edf55b7fdc5d1c7635eb63eaac0c6
-
Filesize
1.4MB
MD58357a83bceec0fdb15456d954a15400e
SHA1d345a7db5bba48826b3fcc7caee43e165f9fc17a
SHA256594b0e32c57c84cf8ff352191aa56b91ed3781d945a27886f8dc628ad0fd5b74
SHA512775a56a2d1c42a41a3a7e57bf43a7934aa4df6da9e63750b531933ff0c6d945c185efcea2700f13316ee773506ebd9f6072bc12e6a0b3c41d3ccb6cf019b2e61
-
Filesize
1.7MB
MD502bb0a1da4ae86267ea55adb79285d6a
SHA1a5af9ea917beda40701ea54501ee56dca5214970
SHA2565d0bcb85e9a8df81b25979491163ca02e81af7f33373f841024cdcc13fe7ef7a
SHA5123e408a7cb234ae5b389cece0aa96e4125bdbd0f540e31e006768a20954af4d58aaa48938f1e1c30396e204f0c1865147811b52e0adf314247009d0caa6556644
-
Filesize
1.5MB
MD55b2b0e4949d34821c8ca8b9c4f0bc0f7
SHA1503c0d612cd6de070775e7c036b9d0c65831d465
SHA2565a9606261edaee9722a3bf8c4ff40985b40ae046053f978173f1c9ce4a6a9e76
SHA512ab7067cfb7f7b39d89df8c17e2adbd4f8afced36eda4711e684210def47fa092b1f7a64eeb3e09a2cddb4c490e8a105f1ac246ead6f15a738977431ed2732eaf
-
Filesize
1.4MB
MD534564a4297bf49eab94cfed02104e95e
SHA1d1fd29da308cca94e3a474930d17cc39fe214f3e
SHA256d94ed229041c675f05f7143677e2c7c8e1f298f6c8a7a71f9e64365611e3beb4
SHA512d1dfc05599f7a220f9073af9234073ec9b30e79db03e81d2436837d4c91ca354cd88712841f2009fbc1f0c4018772d1c369f2828616b80b55f3d3f9c01ee1af4
-
Filesize
1.8MB
MD56c6bfba1795f52174564bc8e85308297
SHA137f850c7a2213e24f04ef02188314ac6b8cc2118
SHA2566106ff7a73b42c71bb079b29e2f2bcb3f9f9b2461ee35d67649a7915fc58b286
SHA51226aeab0fd5ba37a99f6ff6d6112633ada4c50e1080795dcdfcecb8d79a82863b5dc9b6b96abb2ae5b11ea973d1fc0c8c8a7eb3d1d30007acc40cc97626d80bf5
-
Filesize
1.4MB
MD52681953bec0c339d671516d824bdb316
SHA1ae3b48f09e3e4bbaa8afba2047119074fa93b7f4
SHA2566df73387d52fc0b0d58e38ff45f17e1945a299e99e9c22871a7ccdbbe274fd73
SHA512ff04a6766d2630d46b7db940894b110d9287ea1cb672e100d5b527660bcf968bc814fa1d64ce996b4b4a76c247e7c0173efacee1244a43b91e8ba703cedaeb4d
-
Filesize
1.7MB
MD5630beadf7043e11a5eb24e34b61cfc9b
SHA1373c5b46747cce1b1ef3a0097dc43113bc03940c
SHA256eddafc2fcdfdf9d08bc07c2772c35051ea5331553d842c21ae151577472a4d57
SHA512c580eb760271cb362774442cc1b2d1cc4593cad705215135fc40512cd3da55c86bc99fe18676b6570ff5162802c50b4620f433742577b0f99c1f862c1c8cc1bb
-
Filesize
2.0MB
MD59ee5a2a02e68e44f8fb5278fae6f07f5
SHA1f65607b5e7e7516322df79eafe41a7d25d1e0e49
SHA2567d8854f8610d4784fa17e3115f4377b516739c9b53acc4c0f125670c92d1afcd
SHA5123746fb0048a55cfc564f91f971deb30e4de5ae330ffa81ec089a4b39016316bef90fc1f6198b0a9327d63c1da48f94be6fec88f26f97521f330ad40a7406b623
-
Filesize
1.5MB
MD5dfdac4103b25f9c96223e2f95f2884df
SHA18904474b4c6a2659dc738c1c7dc2f2b3b90855ce
SHA25652aafeb92865efee3dc1f6c55d69fbb411226529d5d54a4da22fff8f0fba823d
SHA5124ba67dea55dfc6414317a66782b1dbac6a7d02418c0f092e750335af438c0a894f8329939b189d2c1d6d273b2fca3f8d220fbd2be726e5a33d8f6214f85a30e8
-
Filesize
1.5MB
MD5e7ce5bde054b741cbf07a7615ec62f84
SHA1585ea0249f0568c91d42af644f0004ff2cb848c4
SHA256573c43d9ca703542646be992090acfebbf34db687f3a3aebbdd8210c44ca8d59
SHA512b9c9cdfe3a483e34c6a5b93dc3396215ce30432ab71ff9e369589595906f478cf8508805a3421a6c000d630dec871e47cb6e29f7e533a0873f589c466f03659c
-
Filesize
1.4MB
MD5451ec86d4259910bae1c9c8b0b051bb1
SHA1d381af8b013fe1cfd0ba6f955d6c75a6c729e2ce
SHA2563a7b8b1ef36ca71c20ad0cb4ed2ecdfacd2bc2af7c539baea468779fab19433b
SHA512cf44d7e2a1afcd12f2fa230532ab86302c0c7c085d30f63185e9844bc65ebae1bfd14231107cbad81a9f0d37688499bd1125667a728b2ca32411bed023c2ac90
-
Filesize
1.3MB
MD51f33d8610e093d10301325c73a776606
SHA1f0d523b3f0be289698bf6eecd93784f4100e3559
SHA256887429bab73001bbb9aef5e0f97f0b604bbb0fe8d421be13d2ea45626c721ec9
SHA5123c4251fc77a4b49019ac82de8319e86d8a4e9f06f6ea5647ff1c826f1e9e697abd2d791176f722ed8bccc39cb40621828c3c28c461f924ba61dd801dea4b6e8a
-
Filesize
1.6MB
MD5acdc85613a9a2351be266971446efb6d
SHA1370d4fb8151c000c8a49964bb20811774c9c5427
SHA256dc5e1e96731031725928b987cf1a2f2bd2d6fe8ec864b15808d4e26640f21ca4
SHA512f08c1ef8814fa84fa1dd68fec3a3cc9e3afda7f20bbb851bd742e7c575303291541fccdd19d72c59b191f8d28efc9a35758aee1309d19eb870ac7425a72b4d40
-
Filesize
2.1MB
MD5bdf648d80d41eff9ffc4b9d16ebaa96e
SHA107aca5704238f1ac871b834881d0b74b25a4103d
SHA256024f366a8c2db4a20794908aed789e4474ece2011923a5c365fa5eed081cbed2
SHA5125cc697360750f5b942b2c857a9fd3a839505c7bf0e914864f547a5752038e925bb4dca23d6d708221433f43096f774023b8ab42f097277ca638fa39e722afe28
-
Filesize
40B
MD5f8da1e3912337378c0f722f616cf6aaf
SHA122482c3e69a3b76d24d4e88d30e345654afd0338
SHA256342768ee193e599905624366abf160660028ba384d57ae4da8734bc9473b010b
SHA512b72adac4dc3ef8cd0c1275eaf376da652f8aa271a162aac1a54571f6f93c0e5fe9fec69a9cf380f84fa3ce438f06e3c9c2493a1d422f5d1bf4c46d6962ca9f47
-
Filesize
1.3MB
MD5b0264c7e9f1fd3f7dbfb1aaa385efd78
SHA1e4b38be95141b70c0c74a19c45eabf900c3048d4
SHA25691159fcc8ce1933a8da929c8ad1d3a01c4eb455aa86e2177e87efe0b572e5696
SHA512700ee266e29850c4c8ae04443571564cb2c45f319d2b7d9ba9c4b963d0a9d82bb659a6057eb569b593bbd84d424ef523a59a5ed21cb43276137e21f42bacf503
-
Filesize
1.7MB
MD589c15cbf9b5890f6f9cdfe21d4031acf
SHA1fbc4ae2903089b12e9d00439ebab5b1521e6cf70
SHA256b616ae69abd1336d6174b9f3edf1b56d2599631d9d51c408328a0a562e11a782
SHA5126d3359a3e25972c5d6245610cbcbca952aefe2c1781503c2cff575b1e552a600ea7c10f0f7ed444ca8a18b7c472256f2f238a1a43d3f69ff45d801c30efad538
-
Filesize
1.4MB
MD536ddf36093a0992222ebe8fb47adbb6b
SHA12367f872d84a1ded613b95d1606dd0c59a7ecb47
SHA256ad38ffca3be8ef81045294f83cfc818a016cdf2a26bb3d981d2f425969631054
SHA512bdce24c0a37aa4be0ee3b7a318a568da623cbb8d2299f39f501d09ed9611f9cac0798e9f66ad0f60abee757578d4490410ca90bd46789af118219eaacc34c61b